Loading ...

Play interactive tourEdit tour

Windows Analysis Report order - 922 - LongWay..exe

Overview

General Information

Sample Name:order - 922 - LongWay..exe
Analysis ID:553165
MD5:b94edbaae4beeb37eaeaf525c8790cc9
SHA1:6cf025acfd20344db3fdbb718ea2e9cfcce0285a
SHA256:3cbf94c22af49ad9be152750428263c826c9b020036a0321f10f9fe2eed6ae52
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • order - 922 - LongWay..exe (PID: 7140 cmdline: "C:\Users\user\Desktop\order - 922 - LongWay..exe" MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)
    • order - 922 - LongWay..exe (PID: 4864 cmdline: C:\Users\user\Desktop\order - 922 - LongWay..exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)
    • order - 922 - LongWay..exe (PID: 6580 cmdline: C:\Users\user\Desktop\order - 922 - LongWay..exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)
  • tKZVPq.exe (PID: 6964 cmdline: "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe" MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)
    • tKZVPq.exe (PID: 6872 cmdline: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)
    • tKZVPq.exe (PID: 6156 cmdline: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)
  • tKZVPq.exe (PID: 6172 cmdline: "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe" MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)
    • tKZVPq.exe (PID: 6040 cmdline: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)
    • tKZVPq.exe (PID: 2832 cmdline: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe MD5: B94EDBAAE4BEEB37EAEAF525C8790CC9)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "finance@demo.jeninfo.com", "Password": "%e&qapQ3oNkx", "Host": "mail.demo.jeninfo.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.799658380.0000000002E51000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        0000000A.00000002.799756430.0000000002E99000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 40 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.tKZVPq.exe.3ee9a10.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              10.2.tKZVPq.exe.3ee9a10.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.order - 922 - LongWay..exe.2fc78a8.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  5.0.order - 922 - LongWay..exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    5.0.order - 922 - LongWay..exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 51 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 5.0.order - 922 - LongWay..exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "finance@demo.jeninfo.com", "Password": "%e&qapQ3oNkx", "Host": "mail.demo.jeninfo.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: order - 922 - LongWay..exeReversingLabs: Detection: 18%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeReversingLabs: Detection: 18%
                      Machine Learning detection for sampleShow sources
                      Source: order - 922 - LongWay..exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJoe Sandbox ML: detected
                      Source: 5.0.order - 922 - LongWay..exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.order - 922 - LongWay..exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 16.0.tKZVPq.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 16.0.tKZVPq.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.order - 922 - LongWay..exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 16.2.tKZVPq.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 16.0.tKZVPq.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.order - 922 - LongWay..exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 16.0.tKZVPq.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.order - 922 - LongWay..exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 16.0.tKZVPq.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.order - 922 - LongWay..exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: order - 922 - LongWay..exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: order - 922 - LongWay..exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: IAssemblyEn.pdb source: tKZVPq.exe, tKZVPq.exe, 0000000B.00000000.778393250.00000000001F0000.00000002.00020000.sdmp, tKZVPq.exe, 0000000F.00000000.784812010.0000000000250000.00000002.00020000.sdmp, tKZVPq.exe, 00000010.00000002.938319196.0000000000670000.00000002.00020000.sdmp, tKZVPq.exe, 00000011.00000000.796641075.0000000000230000.00000002.00020000.sdmp, tKZVPq.exe, 00000012.00000000.801051583.00000000001B0000.00000002.00020000.sdmp, order - 922 - LongWay..exe, tKZVPq.exe.5.dr

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49836 -> 103.195.185.115:587
                      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                      Source: Joe Sandbox ViewIP Address: 103.195.185.115 103.195.185.115
                      Source: Joe Sandbox ViewIP Address: 103.195.185.115 103.195.185.115
                      Source: global trafficTCP traffic: 192.168.2.4:49836 -> 103.195.185.115:587
                      Source: global trafficTCP traffic: 192.168.2.4:49836 -> 103.195.185.115:587
                      Source: order - 922 - LongWay..exe, 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmpString found in binary or memory: http://BmacPT.com
                      Source: tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: order - 922 - LongWay..exe, 00000005.00000002.942341689.0000000002D19000.00000004.00000001.sdmpString found in binary or memory: http://demo.jeninfo.com
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: order - 922 - LongWay..exe, 00000005.00000002.942341689.0000000002D19000.00000004.00000001.sdmpString found in binary or memory: http://mail.demo.jeninfo.com
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697060424.0000000007082000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: order - 922 - LongWay..exe, 00000005.00000002.942341689.0000000002D19000.00000004.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000003.900788964.0000000000B04000.00000004.00000001.sdmpString found in binary or memory: http://zBBI0wGzrhieBOwCO9P.net
                      Source: order - 922 - LongWay..exe, 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmp, order - 922 - LongWay..exe, 00000005.00000000.689627196.0000000000402000.00000040.00000001.sdmp, tKZVPq.exe, 0000000A.00000002.800614481.0000000003E59000.00000004.00000001.sdmp, tKZVPq.exe, 0000000F.00000002.804574549.0000000003609000.00000004.00000001.sdmp, tKZVPq.exe, 00000010.00000000.791237614.0000000000402000.00000040.00000001.sdmp, tKZVPq.exe, 00000010.00000002.937803830.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: order - 922 - LongWay..exe, 00000005.00000002.940918607.00000000029B1000.00000004.00000001.sdmp, tKZVPq.exe, 00000010.00000002.940497927.0000000002BC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.demo.jeninfo.com

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: order - 922 - LongWay..exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.order - 922 - LongWay..exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bC54C654Du002d1F0Bu002d446Bu002dAC5Du002d65F74970AA45u007d/B2F568B2u002d973Eu002d45AEu002dA54Fu002d2E80459E8E64.csLarge array initialization: .cctor: array initializer size 11940
                      Source: 5.0.order - 922 - LongWay..exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bC54C654Du002d1F0Bu002d446Bu002dAC5Du002d65F74970AA45u007d/B2F568B2u002d973Eu002d45AEu002dA54Fu002d2E80459E8E64.csLarge array initialization: .cctor: array initializer size 11940
                      Source: order - 922 - LongWay..exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 0_2_0154C9740_2_0154C974
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 0_2_0154EDB80_2_0154EDB8
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 0_2_0154EDA80_2_0154EDA8
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 0_2_075E2A980_2_075E2A98
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 0_2_075EC0780_2_075EC078
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00BA11E25_2_00BA11E2
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00BA11405_2_00BA1140
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00BA9BF05_2_00BA9BF0
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00BA5D385_2_00BA5D38
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00BA64795_2_00BA6479
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00BA65785_2_00BA6578
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00C071005_2_00C07100
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00C059E05_2_00C059E0
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00C0BC685_2_00C0BC68
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00C847A05_2_00C847A0
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00C83CCC5_2_00C83CCC
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00C847905_2_00C84790
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00C847725_2_00C84772
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00C854905_2_00C85490
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 10_2_0140C97410_2_0140C974
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 10_2_0140EDB310_2_0140EDB3
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 10_2_0140EDB810_2_0140EDB8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 10_2_08A72A9810_2_08A72A98
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 10_2_08A7BEFC10_2_08A7BEFC
                      Source: order - 922 - LongWay..exeBinary or memory string: OriginalFilename vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFyKnTqyFcfLHrgHTrTGrmHWnBuhJPDMQ.exe4 vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000000.00000002.694349037.0000000003F99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000000.00000002.692736168.0000000000B60000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIAssemblyEn.exe0 vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000000.00000002.693824370.0000000002F91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFyKnTqyFcfLHrgHTrTGrmHWnBuhJPDMQ.exe4 vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000000.00000002.697257201.0000000007460000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exeBinary or memory string: OriginalFilename vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000004.00000000.684955126.0000000000130000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIAssemblyEn.exe0 vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exeBinary or memory string: OriginalFilename vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000005.00000000.687068836.00000000004E0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIAssemblyEn.exe0 vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000005.00000000.691336460.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameFyKnTqyFcfLHrgHTrTGrmHWnBuhJPDMQ.exe4 vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000005.00000002.938235618.00000000008F8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exe, 00000005.00000002.939413626.0000000000CAA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exeBinary or memory string: OriginalFilenameIAssemblyEn.exe0 vs order - 922 - LongWay..exe
                      Source: order - 922 - LongWay..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: tKZVPq.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: order - 922 - LongWay..exeReversingLabs: Detection: 18%
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeFile read: C:\Users\user\Desktop\order - 922 - LongWay..exeJump to behavior
                      Source: order - 922 - LongWay..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\order - 922 - LongWay..exe "C:\Users\user\Desktop\order - 922 - LongWay..exe"
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess created: C:\Users\user\Desktop\order - 922 - LongWay..exe C:\Users\user\Desktop\order - 922 - LongWay..exe
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess created: C:\Users\user\Desktop\order - 922 - LongWay..exe C:\Users\user\Desktop\order - 922 - LongWay..exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess created: C:\Users\user\Desktop\order - 922 - LongWay..exe C:\Users\user\Desktop\order - 922 - LongWay..exeJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess created: C:\Users\user\Desktop\order - 922 - LongWay..exe C:\Users\user\Desktop\order - 922 - LongWay..exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order - 922 - LongWay..exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@15/5@2/1
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 5.0.order - 922 - LongWay..exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.order - 922 - LongWay..exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.order - 922 - LongWay..exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.order - 922 - LongWay..exe.400000.8.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: order - 922 - LongWay..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: order - 922 - LongWay..exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: order - 922 - LongWay..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: IAssemblyEn.pdb source: tKZVPq.exe, tKZVPq.exe, 0000000B.00000000.778393250.00000000001F0000.00000002.00020000.sdmp, tKZVPq.exe, 0000000F.00000000.784812010.0000000000250000.00000002.00020000.sdmp, tKZVPq.exe, 00000010.00000002.938319196.0000000000670000.00000002.00020000.sdmp, tKZVPq.exe, 00000011.00000000.796641075.0000000000230000.00000002.00020000.sdmp, tKZVPq.exe, 00000012.00000000.801051583.00000000001B0000.00000002.00020000.sdmp, order - 922 - LongWay..exe, tKZVPq.exe.5.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: order - 922 - LongWay..exe, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.order - 922 - LongWay..exe.b50000.0.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.order - 922 - LongWay..exe.b50000.0.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.order - 922 - LongWay..exe.120000.0.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.order - 922 - LongWay..exe.120000.1.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.order - 922 - LongWay..exe.120000.3.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.order - 922 - LongWay..exe.120000.0.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.order - 922 - LongWay..exe.120000.2.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: tKZVPq.exe.5.dr, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.order - 922 - LongWay..exe.4d0000.1.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.11.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.3.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.5.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.0.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.7.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.2.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.1.unpack, aL/Jj.cs.Net Code: GR System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: order - 922 - LongWay..exe, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 0.0.order - 922 - LongWay..exe.b50000.0.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 0.2.order - 922 - LongWay..exe.b50000.0.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 4.2.order - 922 - LongWay..exe.120000.0.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 4.0.order - 922 - LongWay..exe.120000.1.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 4.0.order - 922 - LongWay..exe.120000.3.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 4.0.order - 922 - LongWay..exe.120000.0.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 4.0.order - 922 - LongWay..exe.120000.2.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: tKZVPq.exe.5.dr, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 5.2.order - 922 - LongWay..exe.4d0000.1.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.11.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.3.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.5.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.0.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.7.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.2.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: 5.0.order - 922 - LongWay..exe.4d0000.1.unpack, aL/Jj.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", stackVariable470, null, null)
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeCode function: 5_2_00C86B2F push ebx; retn 0000h5_2_00C86B3A
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 10_2_0140400B push edi; iretd 10_2_01404012
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 10_2_01409268 pushfd ; iretd 10_2_014094BA
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 10_2_014094BB pushfd ; iretd 10_2_014094C2
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 10_2_01403F11 push ebx; iretd 10_2_01403F12
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23077923156
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23077923156
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeFile created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to dropped file
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeFile opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order - 922 - LongWay..exeProcess information set: NOOPENFILEERRORBOXJump to behavior