Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New Order.exe

Overview

General Information

Sample Name:New Order.exe
Analysis ID:626210
MD5:faa827279f0932969adb995b977f2a1e
SHA1:9f836961f492cb7083f29a0c9180c27a7ea406e2
SHA256:4ff77f4e72dd52708b1612318b205be3c750b6f6956363b6055b524bd89cf3fb
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • New Order.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\New Order.exe" MD5: FAA827279F0932969ADB995B977F2A1E)
    • New Order.exe (PID: 6868 cmdline: {path} MD5: FAA827279F0932969ADB995B977F2A1E)
  • cleanup
{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.navetesilazi.ro/", "Username": "sunny@navetesilazi.ro", "Password": "u,S2gsd@*K7C"}
SourceRuleDescriptionAuthorStrings
00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries
            SourceRuleDescriptionAuthorStrings
            0.2.New Order.exe.3606cd0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.New Order.exe.3606cd0.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.New Order.exe.3606cd0.3.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x2ef16:$s1: get_kbok
                • 0x2f84a:$s2: get_CHoo
                • 0x304a5:$s3: set_passwordIsSet
                • 0x2ed1a:$s4: get_enableLog
                • 0x333c3:$s8: torbrowser
                • 0x31d9f:$s10: logins
                • 0x31717:$s11: credential
                • 0x2e10d:$g1: get_Clipboard
                • 0x2e11b:$g2: get_Keyboard
                • 0x2e128:$g3: get_Password
                • 0x2f6f8:$g4: get_CtrlKeyDown
                • 0x2f708:$g5: get_ShiftKeyDown
                • 0x2f719:$g6: get_AltKeyDown
                4.2.New Order.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.New Order.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 27 entries
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 4.2.New Order.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.navetesilazi.ro/", "Username": "sunny@navetesilazi.ro", "Password": "u,S2gsd@*K7C"}
                    Source: New Order.exeVirustotal: Detection: 37%Perma Link
                    Source: New Order.exeReversingLabs: Detection: 31%
                    Source: New Order.exeJoe Sandbox ML: detected
                    Source: 4.2.New Order.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.New Order.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.New Order.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.New Order.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.New Order.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.New Order.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: New Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: New Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_06A6D530

                    Networking

                    barindex
                    Source: Yara matchFile source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPE
                    Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.navetesilazi.ro/sunny
                    Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: New Order.exe, 00000004.00000002.521962296.0000000002D30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255603989.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: New Order.exe, 00000000.00000003.260043589.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263069055.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259679585.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260675550.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259189127.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262944790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262794568.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260575464.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262733473.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.264325169.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                    Source: New Order.exe, 00000000.00000003.260043589.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263069055.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259679585.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260675550.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259189127.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262944790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262794568.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260575464.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262733473.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.264325169.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html6
                    Source: New Order.exe, 00000000.00000003.256313284.00000000053B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260373768.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260315925.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261719581.00000000053FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlX
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261343363.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlht
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comG
                    Source: New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
                    Source: New Order.exe, 00000000.00000003.267297280.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.294277019.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267521568.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267112661.00000000053F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261750999.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaN
                    Source: New Order.exe, 00000000.00000003.260315925.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdQ
                    Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdb
                    Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261911453.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261838549.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261930191.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262477906.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262431790.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdi
                    Source: New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260864090.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdt
                    Source: New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessedb
                    Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261750999.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261690313.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261670238.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessedi
                    Source: New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260535172.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comld
                    Source: New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267112661.00000000053F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comldvP
                    Source: New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlic
                    Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
                    Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260864090.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261690313.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comony
                    Source: New Order.exe, 00000000.00000003.267297280.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.294277019.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267521568.00000000053F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiva
                    Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261911453.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261838549.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261930191.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262477906.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262431790.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comtuta
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: New Order.exe, 00000000.00000003.254695939.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254580619.00000000053E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: New Order.exe, 00000000.00000003.255367660.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255219858.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255017818.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255127554.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255187356.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255151097.00000000053ED000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254970898.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255136855.00000000053EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/L;;
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: New Order.exe, 00000000.00000003.254695939.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254580619.00000000053E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt
                    Source: New Order.exe, 00000000.00000003.263291014.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: New Order.exe, 00000000.00000003.263269630.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263528813.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263370715.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263353480.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263502565.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263983826.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263291014.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: New Order.exe, 00000000.00000003.256813993.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256855458.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256943522.00000000053E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#
                    Source: New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258296537.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                    Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258296537.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
                    Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256943522.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
                    Source: New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Gras
                    Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
                    Source: New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
                    Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                    Source: New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259597195.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260131394.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259941673.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259443452.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258929215.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259855092.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260100966.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259361235.00000000053F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
                    Source: New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ue
                    Source: New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wa
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: New Order.exe, 00000000.00000003.255250488.00000000053BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.
                    Source: New Order.exe, 00000000.00000003.255146264.00000000053EA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: New Order.exe, 00000000.00000003.254052864.00000000053C5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com;
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ySmlPP.com
                    Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gp8eppjNNQTPw.net
                    Source: New Order.exe, 00000004.00000003.502947482.0000000000CC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gp8eppjNNQTPw.net853321935-2125563209-4053062332-1002_Classes
                    Source: New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, New Order.exe, 00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: New Order.exe, 00000000.00000002.295210516.000000000080A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Source: 0.2.New Order.exe.3606cd0.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.New Order.exe.24e4ef8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                    Source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: New Order.exe PID: 6868, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: initial sampleStatic PE information: Filename: New Order.exe
                    Source: 4.2.New Order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.csLarge array initialization: .cctor: array initializer size 11948
                    Source: 4.0.New Order.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.csLarge array initialization: .cctor: array initializer size 11948
                    Source: 4.0.New Order.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.csLarge array initialization: .cctor: array initializer size 11948
                    Source: 4.0.New Order.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.csLarge array initialization: .cctor: array initializer size 11948
                    Source: New Order.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.2.New Order.exe.3606cd0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.New Order.exe.24e4ef8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                    Source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: New Order.exe PID: 6868, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_0246E5700_2_0246E570
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_0246E5800_2_0246E580
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_0246BCF40_2_0246BCF4
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A696180_2_06A69618
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A656580_2_06A65658
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A622500_2_06A62250
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A66B280_2_06A66B28
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A698980_2_06A69898
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A696170_2_06A69617
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A6AE600_2_06A6AE60
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A656480_2_06A65648
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A62DB80_2_06A62DB8
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A61DE00_2_06A61DE0
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A61DD00_2_06A61DD0
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A6750B0_2_06A6750B
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A69AEA0_2_06A69AEA
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A6722F0_2_06A6722F
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A672300_2_06A67230
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A662000_2_06A66200
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A60A680_2_06A60A68
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A622480_2_06A62248
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A60A580_2_06A60A58
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A61B870_2_06A61B87
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A61B880_2_06A61B88
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A693230_2_06A69323
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A693300_2_06A69330
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A69B030_2_06A69B03
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A66B180_2_06A66B18
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A69B610_2_06A69B61
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A69B450_2_06A69B45
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A6988B0_2_06A6988B
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A618080_2_06A61808
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A618180_2_06A61818
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A6206F0_2_06A6206F
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A620700_2_06A62070
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A661F80_2_06A661F8
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_06A671CC0_2_06A671CC
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 0_2_000620500_2_00062050
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00C9C0A04_2_00C9C0A0
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00C920204_2_00C92020
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00C92D504_2_00C92D50
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00C927684_2_00C92768
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00C9F3084_2_00C9F308
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00C9B9204_2_00C9B920
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00E500404_2_00E50040
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00E523084_2_00E52308
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00E594604_2_00E59460
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00E55EAC4_2_00E55EAC
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00E5EFC84_2_00E5EFC8
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00E5003D4_2_00E5003D
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_00E543E04_2_00E543E0
                    Source: C:\Users\user\Desktop\New Order.exeCode function: 4_2_006320504_2_00632050
                    Source: New Order.exeBinary or memory string: OriginalFilename vs New Order.exe
                    Source: New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTPojXuVgRwvTuslAVhGVJFKrC.exe4 vs New Order.exe
                    Source: New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs New Order.exe
                    Source: New Order.exe, 00000000.00000002.295210516.000000000080A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New Order.exe
                    Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs New Order.exe
                    Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTPojXuVgRwvTuslAVhGVJFKrC.exe4 vs New Order.exe
                    Source: New Order.exe, 00000000.00000003.280367821.0000000002AF2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs New Order.exe
                    Source: New Order.exe, 00000000.00000002.302500433.0000000006E20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs New Order.exe
                    Source: New Order.exeBinary or memory string: OriginalFilename vs New Order.exe
                    Source: New Order.exe, 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTPojXuVgRwvTuslAVhGVJFKrC.exe4 vs New Order.exe
                    Source: New Order.exe, 00000004.00000002.520356033.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order.exe
                    Source: New Order.exeBinary or memory string: OriginalFilenameBHMCc.exe8 vs New Order.exe
                    Source: New Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: New Order.exeVirustotal: Detection: 37%
                    Source: New Order.exeReversingLabs: Detection: 31%
                    Source: New Order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\New Order.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\New Order.exe "C:\Users\user\Desktop\New Order.exe"
                    Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\Desktop\New Order.exe {path}
                    Source: C:\Users\user\Desktop\New Order.exeProcess created: C:\Users\user\Desktop\New Order.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\New Order.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\New Order.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\New Order.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
                    Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Order.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: 4.2.New Order.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.New Order.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.New Order.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.New Order.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.New Order.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.New Order.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\New Order.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\New Order.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: New Order.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: New Order.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT