Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Products Order.exe

Overview

General Information

Sample Name:Products Order.exe
Analysis ID:458877
MD5:7beee2584cd632154d34c65237cd5eb0
SHA1:d192b8805a1d874d480d791f673dbde77f12059b
SHA256:56390f611b9571d11cdeb128435aaf3d5b282511f4a540d81912d87ffc1d2953
Tags:exenull
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Products Order.exe (PID: 2952 cmdline: 'C:\Users\user\Desktop\Products Order.exe' MD5: 7BEEE2584CD632154D34C65237CD5EB0)
    • Products Order.exe (PID: 5888 cmdline: C:\Users\user\Desktop\Products Order.exe MD5: 7BEEE2584CD632154D34C65237CD5EB0)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: Products Order.exe PID: 5888JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.Products Order.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Products Order.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 7.2.Products Order.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: Products Order.exeVirustotal: Detection: 61%Perma Link
                Source: Products Order.exeMetadefender: Detection: 45%Perma Link
                Source: Products Order.exeReversingLabs: Detection: 78%
                Machine Learning detection for sampleShow sources
                Source: Products Order.exeJoe Sandbox ML: detected
                Source: 7.2.Products Order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: Products Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: Products Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: http://oGRaXU.com
                Source: Products Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Products Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Products Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersW
                Source: Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com8
                Source: Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comW
                Source: Products Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223807220.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn-
                Source: Products Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/K
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eta
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                Source: Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                Source: Products Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Products Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com/
                Source: Products Order.exe, 00000000.00000003.222128549.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comh
                Source: Products Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Products Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kre
                Source: Products Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krthe
                Source: Products Order.exe, 00000000.00000003.222509875.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Products Order.exe, 00000000.00000003.222544938.00000000062EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn.
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: https://Au1SDZgNiFJp.n
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: https://Au1SDZgNiFJp.net
                Source: Products Order.exe, 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                Source: C:\Users\user\Desktop\Products Order.exeWindow created: window name: CLIPBRDWNDCLASS

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 7.2.Products Order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCA318437u002d79D0u002d47E6u002dAD5Au002dE637674672C0u007d/u00370291D60u002d50D6u002d4282u002d9AE4u002dF343420AD8FC.csLarge array initialization: .cctor: array initializer size 11965
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Products Order.exe
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_0154AD00
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01540D30
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01546BE0
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01543790
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01548D80
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_0154C188
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01545038
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01547A5E
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01547A60
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018B6158
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018B5B21
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018B3680
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018BD3EE
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A21368
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A4C5B0
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A428C8
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A48EA0
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A4E530
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A45578
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01A46490
                Source: Products Order.exe, 00000000.00000000.218947395.00000000010E8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBindingFla.exe> vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.489342552.000000000178A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.496023425.0000000006740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Products Order.exe
                Source: Products Order.exe, 00000007.00000000.270811026.0000000001068000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBindingFla.exe> vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamefGTSWhFZukHSMrbrFCgDqhElwPzfvrA.exe4 vs Products Order.exe
                Source: Products Order.exe, 00000007.00000002.489864931.00000000018A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Products Order.exe
                Source: Products Order.exeBinary or memory string: OriginalFilenameBindingFla.exe> vs Products Order.exe
                Source: Products Order.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: Products Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 7.2.Products Order.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 7.2.Products Order.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
                Source: C:\Users\user\Desktop\Products Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Products Order.exe.logJump to behavior
                Source: Products Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Products Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\Products Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\Products Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: Products Order.exe, 00000000.00000000.218832833.0000000000FE2000.00000002.00020000.sdmp, Products Order.exe, 00000007.00000000.270686053.0000000000F62000.00000002.00020000.sdmpBinary or memory string: SELECT !{0}{1}[{2}].[ID]!{0}FROM [{1}]{2}5WHERE [{0}].[{1}ID] = {2};
                Source: Products Order.exeVirustotal: Detection: 61%
                Source: Products Order.exeMetadefender: Detection: 45%
                Source: Products Order.exeReversingLabs: Detection: 78%
                Source: unknownProcess created: C:\Users\user\Desktop\Products Order.exe 'C:\Users\user\Desktop\Products Order.exe'
                Source: C:\Users\user\Desktop\Products Order.exeProcess created: C:\Users\user\Desktop\Products Order.exe C:\Users\user\Desktop\Products Order.exe
                Source: C:\Users\user\Desktop\Products Order.exeProcess created: C:\Users\user\Desktop\Products Order.exe C:\Users\user\Desktop\Products Order.exe
                Source: C:\Users\user\Desktop\Products Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Products Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Products Order.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Products Order.exeStatic file information: File size 1071104 > 1048576
                Source: Products Order.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x104e00
                Source: Products Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Products Order.exeStatic PE information: 0xB2837D03 [Wed Nov 26 21:47:47 2064 UTC]
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018BB577 push edi; retn 0000h
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018BD3CA push ebx; retf
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_018B5A70 push es; ret
                Source: initial sampleStatic PE information: section name: .text entropy: 7.23009151105
                Source: Products Order.exe, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
                Source: Products Order.exe, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
                Source: Products Order.exe, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.csHigh entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
                Source: Products Order.exe, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.csHigh entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
                Source: Products Order.exe, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.csHigh entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
                Source: Products Order.exe, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.csHigh entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
                Source: Products Order.exe, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.csHigh entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
                Source: Products Order.exe, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.csHigh entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
                Source: Products Order.exe, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.csHigh entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
                Source: Products Order.exe, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.csHigh entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
                Source: Products Order.exe, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.csHigh entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: Products Order.exe, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.csHigh entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: Products Order.exe, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.csHigh entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: Products Order.exe, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.csHigh entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
                Source: Products Order.exe, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.csHigh entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
                Source: Products Order.exe, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.csHigh entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
                Source: Products Order.exe, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.csHigh entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
                Source: Products Order.exe, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.csHigh entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
                Source: Products Order.exe, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.csHigh entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
                Source: Products Order.exe, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.csHigh entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.csHigh entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.csHigh entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.csHigh entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.csHigh entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.csHigh entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.csHigh entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.csHigh entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.csHigh entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.csHigh entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.csHigh entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.csHigh entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.csHigh entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.csHigh entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.csHigh entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.csHigh entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.csHigh entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.csHigh entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
                Source: 0.0.Products Order.exe.fe0000.0.unpack, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.csHigh entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
                Source: 7.2.Products Order.exe.f60000.1.unpack, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
                Source: 7.2.Products Order.exe.f60000.1.unpack, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
                Source: 7.2.Products Order.exe.f60000.1.unpack, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.csHigh entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
                Source: 7.2.Products Order.exe.f60000.1.unpack, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.csHigh entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
                Source: 7.2.Products Order.exe.f60000.1.unpack, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.csHigh entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
                Source: 7.2.Products Order.exe.f60000.1.unpack, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.csHigh entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
                Source: 7.2.Products Order.exe.f60000.1.unpack, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.csHigh entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
                Source: 7.2.Products Order.exe.f60000.1.unpack, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.csHigh entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
                Source: 7.2.Products Order.exe.f60000.1.unpack, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.csHigh entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
                Source: 7.2.Products Order.exe.f60000.1.unpack, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.csHigh entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
                Source: 7.2.Products Order.exe.f60000.1.unpack, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.csHigh entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
                Source: 7.2.Products Order.exe.f60000.1.unpack, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.csHigh entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
                Source: 7.2.Products Order.exe.f60000.1.unpack, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.csHigh entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
                Source: 7.2.Products Order.exe.f60000.1.unpack, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.csHigh entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
                Source: 7.2.Products Order.exe.f60000.1.unpack, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.csHigh entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: 7.2.Products Order.exe.f60000.1.unpack, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.csHigh entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: 7.2.Products Order.exe.f60000.1.unpack, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.csHigh entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
                Source: 7.2.Products Order.exe.f60000.1.unpack, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.csHigh entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: 7.2.Products Order.exe.f60000.1.unpack, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.csHigh entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
                Source: 7.2.Products Order.exe.f60000.1.unpack, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.csHigh entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
                Source: 7.0.Products Order.exe.f60000.0.unpack, jEJ3iSXqfk6lZpjMd1/s0Q1lMy23wLtJ5aYvV.csHigh entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'jgbN2Ee7mC', 'eY4NY6BDTR', 'r8jNhYUGQW', 'rZ9NcmMoCK', 'RvGNKsD9yL', 'QY5N0DVrl6', 'orGNQsL8id'
                Source: 7.0.Products Order.exe.f60000.0.unpack, CZDWkSxlutEmWZ8Des/LjYhvLOFbulQVHUFEL.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'ftthtjKNsV', 'f7sSfvTXT9', 'vqGSsX5L7D', 'REySnMwvVc', 'a7xSzr2Lni', 'xstN2XQJav', 'Ha3NXTiuwN', 'aBXNMdIRCG'
                Source: 7.0.Products Order.exe.f60000.0.unpack, LolhYxwjKnfDh5Lfvg/EiOTPuWehH56J2e6gk.csHigh entropy of concatenated method names: 'XsdKpJToTO', 'DWyKKCOBMb', '.ctor', 'ArEp3lTxvL', 'woypD0fUOP', 'L8Fp1AjqqS', 'MZjpRXE0mT', 'lcRpoYQMVc', 'EaxpPFcmrN', 'h49ptZxvIp'
                Source: 7.0.Products Order.exe.f60000.0.unpack, RitTO5rInvUdtxtaI5/GLt03cLTDHJJZt4aoe.csHigh entropy of concatenated method names: '.ctor', 'aEGhHfbmyA', 'Dispose', 'QJehUNZOHu', 'Vlrh8kqQ6l', 'Xlch6fSA3v', 'xuThGKjNEa', 'C43h4OJ5la', 'wCGhO9D1w7', 'OwQSQav2uu'
                Source: 7.0.Products Order.exe.f60000.0.unpack, CjobfHSDfoL4D3dn1A/jT8ZVSfZFJS0xhiWby.csHigh entropy of concatenated method names: 'VHmLxGRbED', 'DsELadslMk', 'DTIL7bd70Y', 'wcvLyx1XRr', 'TKjLCXiU7J', 'WY6LP2GHVY', 'lbPYI22YFF', 'hMfYSemnEV', 'zR8YyOMoTd', '.ctor'
                Source: 7.0.Products Order.exe.f60000.0.unpack, aRFd54IaycYrDka8uo/SB1f1Gm9GFCkdp0CaA.csHigh entropy of concatenated method names: '.ctor', 'pjMD9y27H', 'tXGgkr5cM', 'RcTCDHJJZ', 'H03RlFNsS', 'WQ3F1jUWi', 'cMPTG6vnp', 'wixPFs0ac', 'a4OzpaEHl', 'gkBY2mC8Lh'
                Source: 7.0.Products Order.exe.f60000.0.unpack, mEvtZo1S3f2PmS807p/EMHZcLg6tBVwih1naU.csHigh entropy of concatenated method names: 'VTPKWxOtOu', 'yTLKwHifd7', 'bRBKDO6vcn', 'uVqKgvWWio', 'GaRKRYZsKy', 'By2KFSaJLg', 'xNjKT4bP5C', 'DDqKPewBcY', 'i7RKz5RlnZ', 'BEP02MWQDU'
                Source: 7.0.Products Order.exe.f60000.0.unpack, GZwBDXVOq9WPEOQSBN/pr8vCDeqm2b09CZnn2.csHigh entropy of concatenated method names: '.ctor', 'Save', 'MOQvSBNgB', 'Load', 'Tf1qG9GFC', 'JdpZ0CaAY', 'UFda54ayc', 'ghPHvlxODboG0C2DCb', 'tokp3wupnx7teMC9iD', 'xuWicpt6MnT8UqpIAj'
                Source: 7.0.Products Order.exe.f60000.0.unpack, ldWSQ8YH7XeS9qZer8h/H75utYYa0CILewlQ0Vo.csHigh entropy of concatenated method names: '.ctor', 'JREEzlCpyP', 'lDjT2wagwJ', 'PKSfDpVYyN', 'k1Tfgha45q', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
                Source: 7.0.Products Order.exe.f60000.0.unpack, BGs9jPE93YkaZhXU4o/slhC4VlMdgKEy3jB8K.csHigh entropy of concatenated method names: '.ctor', 'kKHpSRMmnC', 'zq8pyUBdbf', 'aOhpXf1Klt', 'QXApLKxUNI', 'jDqprdNlI2', 'PV163Ob6dAlDkryA2Bp', 'bS30lCbky2BSsFaaoAW', 'MwI8kvbakf9nVNXChvo', 't0OJ5xbjP0KR5rjk6G9'
                Source: 7.0.Products Order.exe.f60000.0.unpack, NRpH4BYZyrGXKZrqqLv/SvleMWYqQLrA5px6syY.csHigh entropy of concatenated method names: 'gh2fOxLTbn', 'zQdfx6cDoK', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
                Source: 7.0.Products Order.exe.f60000.0.unpack, cmZGbTY8Zbl6eWIQRXx/AaNAGrYUblT7KK7b4Lv.csHigh entropy of concatenated method names: '.ctor', 'YD0S2X3gxc', 'mC8SYsIpwM', 'BIiShxTUdo', 'BgUScYojxn', 'PhUfPmFmkw', 'EL9ftaiNiX', 'GctfzvF3ws', 'Ckixt3AvXKY6aCuAYHw', 'BpAE9YACUrmZJy3GPVP'
                Source: 7.0.Products Order.exe.f60000.0.unpack, G2qbT2YvtRxukMNikbA/LgygSGYBoAp4MJcxaBq.csHigh entropy of concatenated method names: '.ctor', 'hZdfs90Xh2', 'BvoEQYfVcd', 'RQIEOBSVg1', 'YhZtwtAR6O120fCynK7', 'iUsbEfAUqROPRLjyU6w', 'tCYyXgAGWxtw5hk4Oj6', 'P2ZSENADwieZ13mVHf1', 'WdjcuUA5YmwfBySMiyE', 'IeVKBRAoP7mWuJuf5Jo'
                Source: 7.0.Products Order.exe.f60000.0.unpack, SQ0tRPYrbQslkKNqwJb/QLhoT9YLQ3g3xPPayxk.csHigh entropy of concatenated method names: '.ctor', 'B9LMiN4v7K', 'vWqMs74H5V', 'oWJMN5GbqB', 'dkLMhrqjbi', 'rh5MccE9qP', 'KShMp4AdVg', 'AIdMKWxFxo', 'bswM0sPjGW', 'uCaM5pM5kL'
                Source: 7.0.Products Order.exe.f60000.0.unpack, ArZSSGYXL5IdB5pH0YZ/tHUMADYytMpJZW2OxgV.csHigh entropy of concatenated method names: 'Kt6QWXF8N5', 'eoDQwFBAXt', 'N7fQ36uCTk', 'q43QD0UTj4', 'XjfQg5R9bN', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
                Source: 7.0.Products Order.exe.f60000.0.unpack, hys8cyYdCWEPtZHKPyE/W0VpBxYJSfYM5SoSBCp.csHigh entropy of concatenated method names: '.ctor', 'cRgIqNrZmw', 'jdBIZQG6w9', 'PkiIH2j1j7', 'AbOIUD12Kg', 'get_Multiline', 'set_Multiline', 'LbDVCVsVqo', 'JoTVljqfNd', 'trYVEWruLP'
                Source: 7.0.Products Order.exe.f60000.0.unpack, NuASiyYANxi0P2J5eux/jNDFvWYujAkcugZCGBx.csHigh entropy of concatenated method names: 'tfZVfipv3V', 'VEVVSVSaLP', 'pDoVN5HQQd', 'bdyVhGFguJ', 'ov2VpmXiCS', 'clYVKIOPEN', 'wNLV0GXort', 'qiFV52hhJW', 'UaiVQJ8P0l', 'EB7V9Cli2x'
                Source: 7.0.Products Order.exe.f60000.0.unpack, Fwrc7ZYsp2tWFrurvT9/a9HxWcYiK4WifDgPB1P.csHigh entropy of concatenated method names: 'Dispose', 'I4snZbwfcu', 'lNlnabj5gU', 'N92nHUBAxj', 'MjTnUT1GUa', 'get_MinimumSize', 'set_MinimumSize', 'lWOeArWZGx', 'NukeJP7ido', 'gImeB42KB6'
                Source: 7.0.Products Order.exe.f60000.0.unpack, YHweQvYNSoT9ZiFRU4U/bPfrGsYYL8idwlKvl9b.csHigh entropy of concatenated method names: 'Iab0JWfOJK', 'kfe0dKkLj4', 'lrk0BP3TJa', 'yHC0vc0Ml5', 'nhA0qFackr', 't070ZtGVtN', 'qdQ0aSB0W6', 'WRA0Hus0Vy', 'NJr0UJvjtE', 'EjE08Isomy'
                Source: 7.0.Products Order.exe.f60000.0.unpack, a4eAFCYciwXRIvke8XM/BCgNmDYhQFiJQf76LQ7.csHigh entropy of concatenated method names: '.ctor', 'CPnQs5SfM6', 'VfiQAGhdBL', 'ovqQdlpEB2', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'PJSmeHcaKH4jqonnDSD', 'MCFunGc6e3fLfLJHAZd'
                Source: C:\Users\user\Desktop\Products Order.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Products Order.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Products Order.exeWindow / User API: threadDelayed 662
                Source: C:\Users\user\Desktop\Products Order.exeWindow / User API: threadDelayed 9180
                Source: C:\Users\user\Desktop\Products Order.exe TID: 2964Thread sleep time: -43380s >= -30000s
                Source: C:\Users\user\Desktop\Products Order.exe TID: 4072Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\Products Order.exe TID: 6136Thread sleep time: -16602069666338586s >= -30000s
                Source: C:\Users\user\Desktop\Products Order.exe TID: 6032Thread sleep count: 662 > 30
                Source: C:\Users\user\Desktop\Products Order.exe TID: 6032Thread sleep count: 9180 > 30
                Source: C:\Users\user\Desktop\Products Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 43380
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Products Order.exeThread delayed: delay time: 922337203685477
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Products Order.exe, 00000007.00000002.495246243.0000000006420000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Products Order.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\Products Order.exeCode function: 7_2_01540040 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\Products Order.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\Products Order.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\Products Order.exeMemory written: C:\Users\user\Desktop\Products Order.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\Products Order.exeProcess created: C:\Users\user\Desktop\Products Order.exe C:\Users\user\Desktop\Products Order.exe
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                Source: Products Order.exe, 00000007.00000002.490299889.0000000001E80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Users\user\Desktop\Products Order.exe VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Users\user\Desktop\Products Order.exe VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\Products Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Products Order.exe PID: 5888, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\Products Order.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\Products Order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Products Order.exe PID: 5888, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.Products Order.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Products Order.exe PID: 5888, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery111Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Products Order.exe61%VirustotalBrowse
                Products Order.exe49%MetadefenderBrowse
                Products Order.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                Products Order.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                7.2.Products Order.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.sajatypeworks.com/0%VirustotalBrowse
                http://www.sajatypeworks.com/0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/K0%URL Reputationsafe
                https://Au1SDZgNiFJp.n0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.sandoll.co.kre0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.sandoll.co.krthe0%Avira URL Cloudsafe
                http://www.fonts.comW0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/w0%Avira URL Cloudsafe
                http://oGRaXU.com0%Avira URL Cloudsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.tiro.comn.0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/eta0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
                http://www.founder.com.cn/cn-0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/-0%URL Reputationsafe
                https://Au1SDZgNiFJp.net0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/d0%URL Reputationsafe
                http://www.fonts.com80%URL Reputationsafe
                http://www.sajatypeworks.comh0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://www.founder.com.cn/cnh0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1Products Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://DynDns.comDynDNSProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.com/Products Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/KProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://Au1SDZgNiFJp.nProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.com/designersWProducts Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmpfalse
                  		high
                  http://www.tiro.comProducts Order.exe, 00000000.00000003.222509875.00000000062EB000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designersProducts Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.227023489.00000000062D9000.00000004.00000001.sdmpfalse
                    		high
                    http://www.sandoll.co.kreProducts Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/jp/Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krtheProducts Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fonts.comWProducts Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/jp/wProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://oGRaXU.comProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.comProducts Order.exe, 00000000.00000003.221801209.00000000062EB000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comn.Products Order.exe, 00000000.00000003.222544938.00000000062EB000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cn/Products Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/etaProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cnProducts Order.exe, 00000000.00000003.224020506.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223807220.00000000062D4000.00000004.00000001.sdmp, Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/xProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn-Products Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/-Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://Au1SDZgNiFJp.netProducts Order.exe, 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/nProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Y0Products Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8Products Order.exe, 00000000.00000003.227417521.00000000062DD000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fonts.comProducts Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.krProducts Order.exe, 00000000.00000003.223297725.00000000062D9000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/dProducts Order.exe, 00000000.00000003.225046664.00000000062D4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.com8Products Order.exe, 00000000.00000003.222041278.00000000062EB000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comhProducts Order.exe, 00000000.00000003.222128549.00000000062EB000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipProducts Order.exe, 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnhProducts Order.exe, 00000000.00000003.223766837.000000000630D000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:458877
                        Start date:03.08.2021
                        Start time:20:28:19
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 7m 27s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:Products Order.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:24
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@3/1@0/0
                        EGA Information:Failed
                        HDC Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        20:29:29API Interceptor659x Sleep call for process: Products Order.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Products Order.exe.log
                        Process:C:\Users\user\Desktop\Products Order.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.355304211458859
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                        MD5:69206D3AF7D6EFD08F4B4726998856D3
                        SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                        SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                        SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.224209758777507
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:Products Order.exe
                        File size:1071104
                        MD5:7beee2584cd632154d34c65237cd5eb0
                        SHA1:d192b8805a1d874d480d791f673dbde77f12059b
                        SHA256:56390f611b9571d11cdeb128435aaf3d5b282511f4a540d81912d87ffc1d2953
                        SHA512:9140b9f85f5c0a90f98a9b1c40d236430cb2d4226fa6b2a9bcb78cfbec853707b379732c1332565190f8425c204a9aa2322944b1d5ab1daf51f8b55d1b2ecee5
                        SSDEEP:24576:xPWfoD8i/dEHmi0DWPTnJa7Rd0duWLCRYbuxq:5iCWrnJQRd7bYb
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}...................N..........Nm... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x506d4e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0xB2837D03 [Wed Nov 26 21:47:47 2064 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x106d000x4b.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1080000x5c8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x10a0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x104d540x104e00False0.7057238635data7.23009151105IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x1080000x5c80x600False0.422526041667data4.10956691089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x10a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0x1080a00x33cdata
                        RT_MANIFEST0x1083dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright 2019
                        Assembly Version1.0.0.0
                        InternalNameBindingFla.exe
                        FileVersion1.0.0.0
                        CompanyName
                        LegalTrademarks
                        Comments
                        ProductNameControlLibrary
                        ProductVersion1.0.0.0
                        FileDescriptionControlLibrary
                        OriginalFilenameBindingFla.exe

                        Network Behavior

                        No network behavior found

                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: Products Order.exe PID: 2952 Parent PID: 5672

                        General

                        Start time:20:29:05
                        Start date:03/08/2021
                        Path:C:\Users\user\Desktop\Products Order.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\Products Order.exe'
                        Imagebase:0xfe0000
                        File size:1071104 bytes
                        MD5 hash:7BEEE2584CD632154D34C65237CD5EB0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low

                        Analysis Process: Products Order.exe PID: 5888 Parent PID: 2952

                        General

                        Start time:20:29:30
                        Start date:03/08/2021
                        Path:C:\Users\user\Desktop\Products Order.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\Products Order.exe
                        Imagebase:0xf60000
                        File size:1071104 bytes
                        MD5 hash:7BEEE2584CD632154D34C65237CD5EB0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.486997350.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.491669072.0000000003471000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Disassembly

                        Code Analysis

                        Reset < >