Edit tour

Windows Analysis Report
New Order.exe

Overview

General Information

Sample Name:	New Order.exe
Analysis ID:	626210
MD5:	faa827279f0932969adb995b977f2a1e
SHA1:	9f836961f492cb7083f29a0c9180c27a7ea406e2
SHA256:	4ff77f4e72dd52708b1612318b205be3c750b6f6956363b6055b524bd89cf3fb
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

New Order.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\New Order.exe" MD5: FAA827279F0932969ADB995B977F2A1E)

New Order.exe (PID: 6868 cmdline: {path} MD5: FAA827279F0932969ADB995B977F2A1E)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.navetesilazi.ro/", "Username": "sunny@navetesilazi.ro", "Password": "u,S2gsd@*K7C"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.292766510.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.292766510.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.291441736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.291441736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2f964:$s10: logins 0x347e78:$s11: credential 0x1dee:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x23d7:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x2923:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401
Process Memory Space: New Order.exe PID: 6468	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: New Order.exe PID: 6468	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: New Order.exe PID: 6868	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: New Order.exe PID: 6868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: New Order.exe PID: 6868	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x9f0a:$s1: get_kbok 0x30ce6:$s1: get_kbok 0xa78a:$s2: get_CHoo 0x31566:$s2: get_CHoo 0xb325:$s3: set_passwordIsSet 0x32101:$s3: set_passwordIsSet 0x9db6:$s4: get_enableLog 0x30b92:$s4: get_enableLog 0x9226:$g1: get_Clipboard 0x30002:$g1: get_Clipboard 0x9234:$g2: get_Keyboard 0x30010:$g2: get_Keyboard 0x9241:$g3: get_Password 0x3001d:$g3: get_Password 0xa664:$g4: get_CtrlKeyDown 0x31440:$g4: get_CtrlKeyDown 0xa674:$g5: get_ShiftKeyDown 0x31450:$g5: get_ShiftKeyDown 0xa685:$g6: get_AltKeyDown 0x31461:$g6: get_AltKeyDown 0x170a4:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.New Order.exe.3606cd0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.New Order.exe.3606cd0.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.New Order.exe.3606cd0.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2ef16:$s1: get_kbok 0x2f84a:$s2: get_CHoo 0x304a5:$s3: set_passwordIsSet 0x2ed1a:$s4: get_enableLog 0x333c3:$s8: torbrowser 0x31d9f:$s10: logins 0x31717:$s11: credential 0x2e10d:$g1: get_Clipboard 0x2e11b:$g2: get_Keyboard 0x2e128:$g3: get_Password 0x2f6f8:$g4: get_CtrlKeyDown 0x2f708:$g5: get_ShiftKeyDown 0x2f719:$g6: get_AltKeyDown
4.2.New Order.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.New Order.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.New Order.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.New Order.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
0.2.New Order.exe.24e4ef8.2.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x8558:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x859c:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x85e4:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x8870:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x88d4:$s2: Set-MpPreference -DisableArchiveScanning $true 0x892c:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x8984:$s4: Set-MpPreference -DisableScriptScanning $true 0x89d0:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x8a10:$s6: Set-MpPreference -MAPSReporting 0 0x8a5c:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x8ab4:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x8b04:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x8b54:$s10: Set-MpPreference -SevereThreatDefaultAction 6
4.0.New Order.exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.10.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
4.0.New Order.exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.12.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.12.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
4.0.New Order.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.6.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
4.0.New Order.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.8.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
4.0.New Order.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
0.2.New Order.exe.3606cd0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.New Order.exe.3606cd0.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.New Order.exe.3606cd0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.New Order.exe.3606cd0.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x66b36:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x6746a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x680c5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x6693a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x6afe3:$s8: torbrowser 0x33b9f:$s10: logins 0x699bf:$s10: logins 0x33517:$s11: credential 0x69337:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x65d2d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x65d3b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x65d48:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown
Click to see the 27 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.New Order.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.navetesilazi.ro/", "Username": "sunny@navetesilazi.ro", "Password": "u,S2gsd@*K7C"}

Multi AV Scanner detection for submitted file

Source: New Order.exe	Virustotal: Detection: 37%			Perma Link
Source: New Order.exe	ReversingLabs: Detection: 31%

Machine Learning detection for sample

Source: New Order.exe

Joe Sandbox ML: detected

Source: 4.2.New Order.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8

Source: New Order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: New Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\New Order.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_06A6D530

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPE

Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ftp://ftp.navetesilazi.ro/sunny
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: New Order.exe, 00000004.00000002.521962296.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255603989.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: New Order.exe, 00000000.00000003.260043589.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263069055.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259679585.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260675550.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259189127.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262944790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262794568.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260575464.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262733473.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.264325169.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: New Order.exe, 00000000.00000003.260043589.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263069055.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259679585.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260675550.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259189127.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262944790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262794568.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260575464.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262733473.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.264325169.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html6
Source: New Order.exe, 00000000.00000003.256313284.00000000053B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260373768.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260315925.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261719581.00000000053FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlX
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261343363.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlht
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comG
Source: New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: New Order.exe, 00000000.00000003.267297280.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.294277019.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267521568.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267112661.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261750999.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comaN
Source: New Order.exe, 00000000.00000003.260315925.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdQ
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdb
Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261911453.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261838549.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261930191.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262477906.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262431790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdi
Source: New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260864090.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdt
Source: New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessedb
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261750999.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261690313.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261670238.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessedi
Source: New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260535172.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comld
Source: New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267112661.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comldvP
Source: New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comlic
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comoitu
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260864090.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261690313.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comony
Source: New Order.exe, 00000000.00000003.267297280.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.294277019.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267521568.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comrsiva
Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261911453.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261838549.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261930191.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262477906.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262431790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comtuta
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: New Order.exe, 00000000.00000003.254695939.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254580619.00000000053E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: New Order.exe, 00000000.00000003.255367660.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255219858.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255017818.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255127554.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255187356.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255151097.00000000053ED000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254970898.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255136855.00000000053EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/L;;
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: New Order.exe, 00000000.00000003.254695939.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254580619.00000000053E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt
Source: New Order.exe, 00000000.00000003.263291014.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: New Order.exe, 00000000.00000003.263269630.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263528813.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263370715.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263353480.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263502565.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263983826.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263291014.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: New Order.exe, 00000000.00000003.256813993.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256855458.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256943522.00000000053E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/#
Source: New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258296537.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258296537.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256943522.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Gras
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259597195.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260131394.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259941673.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259443452.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258929215.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259855092.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260100966.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259361235.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ue
Source: New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/wa
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: New Order.exe, 00000000.00000003.255250488.00000000053BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.
Source: New Order.exe, 00000000.00000003.255146264.00000000053EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: New Order.exe, 00000000.00000003.254052864.00000000053C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com;
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ySmlPP.com
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gp8eppjNNQTPw.net
Source: New Order.exe, 00000004.00000003.502947482.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gp8eppjNNQTPw.net853321935-2125563209-4053062332-1002_Classes
Source: New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, New Order.exe, 00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: New Order.exe, 00000000.00000002.295210516.000000000080A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.New Order.exe.3606cd0.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.New Order.exe.24e4ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: New Order.exe PID: 6868, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New Order.exe

.NET source code contains very large array initializations

Source: 4.2.New Order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.cs	Large array initialization: .cctor: array initializer size 11948
Source: 4.0.New Order.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.cs	Large array initialization: .cctor: array initializer size 11948
Source: 4.0.New Order.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.cs	Large array initialization: .cctor: array initializer size 11948
Source: 4.0.New Order.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.cs	Large array initialization: .cctor: array initializer size 11948

Source: New Order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.New Order.exe.3606cd0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.New Order.exe.24e4ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: New Order.exe PID: 6868, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0246E570	0_2_0246E570
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0246E580	0_2_0246E580
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0246BCF4	0_2_0246BCF4
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69618	0_2_06A69618
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A65658	0_2_06A65658
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A62250	0_2_06A62250
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A66B28	0_2_06A66B28
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69898	0_2_06A69898
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69617	0_2_06A69617
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6AE60	0_2_06A6AE60
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A65648	0_2_06A65648
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A62DB8	0_2_06A62DB8
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61DE0	0_2_06A61DE0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61DD0	0_2_06A61DD0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6750B	0_2_06A6750B
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69AEA	0_2_06A69AEA
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6722F	0_2_06A6722F
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A67230	0_2_06A67230
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A66200	0_2_06A66200
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A60A68	0_2_06A60A68
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A62248	0_2_06A62248
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A60A58	0_2_06A60A58
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61B87	0_2_06A61B87
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61B88	0_2_06A61B88
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69323	0_2_06A69323
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69330	0_2_06A69330
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69B03	0_2_06A69B03
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A66B18	0_2_06A66B18
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69B61	0_2_06A69B61
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69B45	0_2_06A69B45
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6988B	0_2_06A6988B
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61808	0_2_06A61808
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61818	0_2_06A61818
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6206F	0_2_06A6206F
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A62070	0_2_06A62070
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A661F8	0_2_06A661F8
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A671CC	0_2_06A671CC
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00062050	0_2_00062050
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C9C0A0	4_2_00C9C0A0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C92020	4_2_00C92020
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C92D50	4_2_00C92D50
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C92768	4_2_00C92768
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C9F308	4_2_00C9F308
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C9B920	4_2_00C9B920
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E50040	4_2_00E50040
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E52308	4_2_00E52308
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E59460	4_2_00E59460
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E55EAC	4_2_00E55EAC
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E5EFC8	4_2_00E5EFC8
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E5003D	4_2_00E5003D
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E543E0	4_2_00E543E0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00632050	4_2_00632050

Source: New Order.exe	Binary or memory string: OriginalFilename vs New Order.exe
Source: New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTPojXuVgRwvTuslAVhGVJFKrC.exe4 vs New Order.exe
Source: New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs New Order.exe
Source: New Order.exe, 00000000.00000002.295210516.000000000080A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs New Order.exe
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs New Order.exe
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTPojXuVgRwvTuslAVhGVJFKrC.exe4 vs New Order.exe
Source: New Order.exe, 00000000.00000003.280367821.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs New Order.exe
Source: New Order.exe, 00000000.00000002.302500433.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs New Order.exe
Source: New Order.exe	Binary or memory string: OriginalFilename vs New Order.exe
Source: New Order.exe, 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTPojXuVgRwvTuslAVhGVJFKrC.exe4 vs New Order.exe
Source: New Order.exe, 00000004.00000002.520356033.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order.exe
Source: New Order.exe	Binary or memory string: OriginalFilenameBHMCc.exe8 vs New Order.exe

Source: New Order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: New Order.exe	Virustotal: Detection: 37%
Source: New Order.exe	ReversingLabs: Detection: 31%

Source: New Order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New Order.exe "C:\Users\user\Desktop\New Order.exe"
Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Users\user\Desktop\New Order.exe {path}
Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Users\user\Desktop\New Order.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\New Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\New Order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 4.2.New Order.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.New Order.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.New Order.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.New Order.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.New Order.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.New Order.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\New Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: New Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: New Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_000676A7 push es; retf	0_2_000676BE
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_000676BF push es; retf	0_2_000676D6
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A67B27 push es; retf A679h	0_2_06A67B40
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6536D push es; ret	0_2_06A65380
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A640E0 push edi; iretd	0_2_06A640E3
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A640D6 push edi; iretd	0_2_06A640D9
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A66847 push es; retf	0_2_06A66850
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61190 push esp; iretd	0_2_06A61191
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69153 push es; retf	0_2_06A69154
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_006376A7 push es; retf	4_2_006376BE
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_006376BF push es; retf	4_2_006376D6
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C97A37 push edi; retn 0000h	4_2_00C97A39

Source: initial sample

Static PE information: section name: .text entropy: 7.85321118232

Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: New Order.exe PID: 6468, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: New Order.exe, 00000000.00000002.298637921.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: New Order.exe, 00000000.00000002.298637921.0000000002A0F000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\New Order.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\New Order.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\New Order.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 6252	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 6252	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 6292	Thread sleep count: 5029 > 30	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe TID: 6292	Thread sleep count: 4780 > 30	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	Window / User API: threadDelayed 5029			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Window / User API: threadDelayed 4780			Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\New Order.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\New Order.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\New Order.exe

Memory written: C:\Users\user\Desktop\New Order.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Process created: C:\Users\user\Desktop\New Order.exe {path}

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Users\user\Desktop\New Order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.New Order.exe.3606cd0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.292766510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.291441736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 6868, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 6868, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.New Order.exe.3606cd0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.292766510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.291441736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: New Order.exe PID: 6868, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	1 Credentials in Registry	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	114 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New Order.exe	38%	Virustotal		Browse
New Order.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx
New Order.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.New Order.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.New Order.exe.400000.12.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.New Order.exe.400000.10.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.New Order.exe.400000.6.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.New Order.exe.400000.8.unpack	100%	Avira	TR/Spy.Gen8	Download File
4.0.New Order.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.tiro.com;	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comI.TTF	0%	URL Reputation	safe
http://www.fontbureau.comessedi	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ue	0%	URL Reputation	safe
http://www.fontbureau.comessedb	0%	Avira URL Cloud	safe
https://gp8eppjNNQTPw.net	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.fontbureau.comony	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html6	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/4	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/2	0%	URL Reputation	safe
http://www.founder.com.cn/cnt	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.founder.com.cn/cn/L;;	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/#	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.com.TTF	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.fontbureau.comtuta	0%	Avira URL Cloud	safe
http://ySmlPP.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.fontbureau.comdt	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.fontbureau.comaN	0%	Avira URL Cloud	safe
http://www.fontbureau.comG	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/wa	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
ftp://ftp.navetesilazi.ro/sunny	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/P	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/N	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/G	0%	URL Reputation	safe
http://www.fontbureau.comldvP	0%	Avira URL Cloud	safe
https://gp8eppjNNQTPw.net853321935-2125563209-4053062332-1002_Classes	0%	Avira URL Cloud	safe
http://www.fontbureau.comdb	0%	Avira URL Cloud	safe
http://www.fontbureau.comlic	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Gras	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.comdi	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.tiro.	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comdQ	0%	Avira URL Cloud	safe
http://www.fontbureau.comoitu	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/t	0%	URL Reputation	safe
http://www.fontbureau.comld	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.comrsiva	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.tiro.com;	New Order.exe, 00000000.00000003.254052864.00000000053C5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://127.0.0.1:HTTP/1.1	New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comI.TTF	New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comessedi	New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261750999.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261690313.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261670238.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ue	New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comessedb	New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gp8eppjNNQTPw.net	New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	New Order.exe, 00000000.00000003.255146264.00000000053EA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	New Order.exe, 00000000.00000003.256313284.00000000053B3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comony	New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260864090.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261690313.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	New Order.exe, 00000000.00000003.263269630.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263528813.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263370715.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263353480.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263502565.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263983826.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263291014.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html6	New Order.exe, 00000000.00000003.260043589.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263069055.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259679585.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260675550.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259189127.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262944790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262794568.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260575464.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262733473.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.264325169.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/4	New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258296537.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/2	New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258296537.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnt	New Order.exe, 00000000.00000003.254695939.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254580619.00000000053E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/L;;	New Order.exe, 00000000.00000003.255367660.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255219858.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255017818.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255127554.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255187356.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255151097.00000000053ED000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254970898.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255136855.00000000053EC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ascendercorp.com/typedesigners.html	New Order.exe, 00000000.00000003.260043589.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263069055.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259679585.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260675550.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259189127.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262944790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262794568.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260575464.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262733473.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.264325169.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/#	New Order.exe, 00000000.00000003.256813993.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256855458.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256943522.00000000053E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	New Order.exe, 00000004.00000002.521962296.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com.TTF	New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, New Order.exe, 00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comtuta	New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261911453.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261838549.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261930191.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262477906.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262431790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ySmlPP.com	New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255603989.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260373768.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260315925.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	New Order.exe, 00000000.00000003.263291014.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNS	New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdt	New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260864090.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comF	New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comaN	New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261750999.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comG	New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/wa	New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
ftp://ftp.navetesilazi.ro/sunny	New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/P	New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/N	New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/G	New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256943522.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comldvP	New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267112661.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gp8eppjNNQTPw.net853321935-2125563209-4053062332-1002_Classes	New Order.exe, 00000004.00000003.502947482.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.comdb	New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comlic	New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Gras	New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259597195.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260131394.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259941673.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259443452.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258929215.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259855092.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260100966.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259361235.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.coma	New Order.exe, 00000000.00000003.267297280.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.294277019.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267521568.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267112661.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comdi	New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261911453.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261838549.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261930191.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262477906.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262431790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.	New Order.exe, 00000000.00000003.255250488.00000000053BE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	New Order.exe, 00000000.00000003.254695939.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254580619.00000000053E9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comdQ	New Order.exe, 00000000.00000003.260315925.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comoitu	New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/t	New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comld	New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260535172.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comrsiva	New Order.exe, 00000000.00000003.267297280.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.294277019.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267521568.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlX	New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261719581.00000000053FC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.htmlht	New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261343363.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626210
Start date and time: 13/05/202217:43:12	2022-05-13 17:43:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	New Order.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 57 Number of non-executed functions: 24
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:44:27	API Interceptor	609x Sleep call for process: New Order.exe modified

Process:	C:\Users\user\Desktop\New Order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.84777519780579
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	New Order.exe
File size:	827904
MD5:	faa827279f0932969adb995b977f2a1e
SHA1:	9f836961f492cb7083f29a0c9180c27a7ea406e2
SHA256:	4ff77f4e72dd52708b1612318b205be3c750b6f6956363b6055b524bd89cf3fb
SHA512:	b318977b0acd2930160e015ede39d4c110a7b3c2c63e9e1d4200ce53039a3c6937b0aad97cba5222f1925b5cd7f2117c0d182c443756d75b0421cdcc13280601
SSDEEP:	24576:Y1+MlTwFRZdknMjjGQVM63WlhtQm+d2s51bsnEpSjR:+VwFRZWOaQSLlj9+d11Invj
TLSH:	870502253B2C7D11E5A7DB349590C11881B6BC6FBE33F22A2E973D8F1D097418671AB2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....]~b..............P.............Z.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4cb65a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627E5DBC [Fri May 13 13:31:40 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, byte ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], cl
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax*2], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc dword ptr [eax+00h], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcb608	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcc000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xce000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc9688	0xc9800	False	0.900231903303	data	7.85321118232	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xcc000	0x5a4	0x600	False	0.421223958333	data	4.08556644653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xce000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xcc090	0x314	data
RT_MANIFEST	0xcc3b4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017
Assembly Version	1.0.0.0
InternalName	BHMCc.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Coffee Shop
ProductVersion	1.0.0.0
FileDescription	Coffee Shop
OriginalFilename	BHMCc.exe

Target ID:	0
Start time:	17:44:15
Start date:	13/05/2022
Path:	C:\Users\user\Desktop\New Order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Order.exe"
Imagebase:	0x60000
File size:	827904 bytes
MD5 hash:	FAA827279F0932969ADB995B977F2A1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	17:44:34
Start date:	13/05/2022
Path:	C:\Users\user\Desktop\New Order.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x630000
File size:	827904 bytes
MD5 hash:	FAA827279F0932969ADB995B977F2A1E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.292766510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.292766510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.291441736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.291441736.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	21.3%
Total number of Nodes:	169
Total number of Limit Nodes:	16

Executed Functions

Function 06A66B28 Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

{3/, xrefs: 06A66C94

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: {3/
API String ID: 0-2911790921
Opcode ID: 00b81e5d62c2e1ef869fcfd79d08dadb05b238e600bc8e657296d742b0b02e40
Instruction ID: 34c1e15717ca49f92fd440ba475963640dbadb6379b80b4d7facc05d05159e04
Opcode Fuzzy Hash: 00b81e5d62c2e1ef869fcfd79d08dadb05b238e600bc8e657296d742b0b02e40
Instruction Fuzzy Hash: 29B13674E04259CFCB44EFAAC94059EFBF2FF89310F24D52AE405AB215E734A941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06A66B18 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

{3/, xrefs: 06A66C94

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: {3/
API String ID: 0-2911790921
Opcode ID: 3c57e720fce91bf5a3ec5bcabd9c9f03f200ff20bcba85c3691321d0d50cfa79
Instruction ID: 6f3e68eb833388bcf41ba2de47f8f137bb623cd7bf019d3ee7b8485ce419363f
Opcode Fuzzy Hash: 3c57e720fce91bf5a3ec5bcabd9c9f03f200ff20bcba85c3691321d0d50cfa79
Instruction Fuzzy Hash: B9B15874E04259CFCB44DFAAC94059EFBF2FF89310F14D52AE405AB219E734A902CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06A69618 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

mtG, xrefs: 06A697CE

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: mtG
API String ID: 0-2219882087
Opcode ID: 3073d7b25255db2c013a1b5a411f4f2ea1b9c07b49449802742167eb0c1ae84e
Instruction ID: 16e34651ef1877460057ac634a7655aa83addf44cbe3a6fd282d487fac81aa0e
Opcode Fuzzy Hash: 3073d7b25255db2c013a1b5a411f4f2ea1b9c07b49449802742167eb0c1ae84e
Instruction Fuzzy Hash: 71514874D0A209DFDB44DFA6E580ADEFBF6EB89310F24902AE406BB254D7748941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06A69617 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

mtG, xrefs: 06A697CE

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: mtG
API String ID: 0-2219882087
Opcode ID: 6124c7fa37c93672d26271159a48f7b35586d0f334df9e64481ded5358094485
Instruction ID: f6b0cfd8cae3c38c3d93322b40ad91315b0e21d5f693f79ac30632791b1eda5c
Opcode Fuzzy Hash: 6124c7fa37c93672d26271159a48f7b35586d0f334df9e64481ded5358094485
Instruction Fuzzy Hash: 15514874D0A209DFDB44DFA6E580ADEFBF2EB89310F24942AE406BB254D7348941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06A65658 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0964619fb29a8bf1fa7306c61666940e6d9a279a82ff917e3598e7b75bd6c13
Instruction ID: 62208092f66fbb188adf2ff0bae97cd8ec85382796abedb81351fde3a7173126
Opcode Fuzzy Hash: e0964619fb29a8bf1fa7306c61666940e6d9a279a82ff917e3598e7b75bd6c13
Instruction Fuzzy Hash: E6D15978E08205DFDB48EFA9D68498DBFF2FB89315B14C4A9E405EB264E734A940CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A65648 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 712bfbd82c1b6cdcd007e63f043976dec3575eb2c0ded1b6a1e84ab936ac15e0
Instruction ID: 2b9c10e46ea2b5435143ceea312f70c02ddefcf06997f84a7a42d1dc7b4e2bba
Opcode Fuzzy Hash: 712bfbd82c1b6cdcd007e63f043976dec3575eb2c0ded1b6a1e84ab936ac15e0
Instruction Fuzzy Hash: B0C16A78E04205DFDB48EFA9D68498DBFF2FB89315B14C469E405EB268E738A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A69898 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77aa16ce8e5089bef7e800379901e6d1a03d423224acd3780ae88f3396895281
Instruction ID: 38653aa80ffb9261583ea534f4751b23b5373f0c91cdd4759972f0a4c8ba2392
Opcode Fuzzy Hash: 77aa16ce8e5089bef7e800379901e6d1a03d423224acd3780ae88f3396895281
Instruction Fuzzy Hash: B3714971E4562A8FDB68CF66CD44B9AF7B2BB88300F1081FAD50DA7250E7705E819F40

Uniqueness

Uniqueness Score: -1.00%

Function 06A6988B Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e251bbe039f4be3fc00ce731a9da6c27b1328c34fc7594f494c23918f7d11e
Instruction ID: bc6b970e8ff40662bcdb1eefed7014435392bb33103bb41b1f41225cd96178c1
Opcode Fuzzy Hash: 18e251bbe039f4be3fc00ce731a9da6c27b1328c34fc7594f494c23918f7d11e
Instruction Fuzzy Hash: 05514A71E4161A8BDB68CF66CD44BDAFBB2FF88304F1481EAD509A7654EB705E818F40

Uniqueness

Uniqueness Score: -1.00%

Function 06A69B03 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c53b37e18a31703dc8d8d610f61c694df5bc3b8a999d4cd38aa62ed963102a
Instruction ID: 56e3e95b7362a428d64b1d3a09c1102037d42ebb6adc7176d8761158ac4bf1da
Opcode Fuzzy Hash: 04c53b37e18a31703dc8d8d610f61c694df5bc3b8a999d4cd38aa62ed963102a
Instruction Fuzzy Hash: C7512675E4162A8FDB64CF61CD84B9AF7B2FB88304F1082E6D519A7650E770AEC19F40

Uniqueness

Uniqueness Score: -1.00%

Function 06A69B61 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe05d5cfb0676252ae0fd5e31c7e0be5062dc96eca920644bd4ed02f3dd6766
Instruction ID: 8a8ad79bcbbfd798130a892c3ca44ed35fe1aded90d409d3c1a9e9c9e30607f0
Opcode Fuzzy Hash: bbe05d5cfb0676252ae0fd5e31c7e0be5062dc96eca920644bd4ed02f3dd6766
Instruction Fuzzy Hash: 57514774D4162A8FDB64CF65CD84BDAF7B2BB88304F1085EAD509A7650E7709EC18F40

Uniqueness

Uniqueness Score: -1.00%

Function 06A69AEA Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276feba5b32ceb9c9ccbf7f6173a955b6bc7e938e8380869f3f6b83759e5e6b7
Instruction ID: e2b492eedc2590dfd5dd77dfcdb8458424e9bb7d6fac38c08264889b9f8472a4
Opcode Fuzzy Hash: 276feba5b32ceb9c9ccbf7f6173a955b6bc7e938e8380869f3f6b83759e5e6b7
Instruction Fuzzy Hash: 95513571E4162B8FDB64CF61CD80B9AB7B2BB98304F1081EAD519A7650E770AEC19F40

Uniqueness

Uniqueness Score: -1.00%

Function 06A69B45 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5c2bd50a5024af513545e363b94b03e62e45bc604349d663df8276c0341bbc
Instruction ID: f247f4ef812405f00f071ecb6ccec55e21049da14186b75e0aad716e2f8a108c
Opcode Fuzzy Hash: 1d5c2bd50a5024af513545e363b94b03e62e45bc604349d663df8276c0341bbc
Instruction Fuzzy Hash: CC515571E4062B8FDB64CF61CD80B9AB7B2BF88300F1081EAD509A7650E770AEC19F40

Uniqueness

Uniqueness Score: -1.00%

Function 06A62250 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ba475f3c342e432f4c26c10640162a0318bd725716f554341c867d94e6fa37
Instruction ID: b9e56e2daf5099ca524ce87fc48e4e9d8dc00e7a242e2a28242cfc3c2166418d
Opcode Fuzzy Hash: 80ba475f3c342e432f4c26c10640162a0318bd725716f554341c867d94e6fa37
Instruction Fuzzy Hash: 5031F971E146189BEB58DFABD84069EFBF3BFC8200F04C5BAD418A6224DB305A468F51

Uniqueness

Uniqueness Score: -1.00%

Function 06A6D530 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21e43f3d2e205b300986328c8d4e88f6f5a45d0772763c1ef1d07a598651560
Instruction ID: f6adc0a3d06627601ffcbdafb58c9ff3c2dabbe2dd707ebb5fe060972852b745
Opcode Fuzzy Hash: a21e43f3d2e205b300986328c8d4e88f6f5a45d0772763c1ef1d07a598651560
Instruction Fuzzy Hash: 90112E70D042588FDB15AFA6C4187EDBBF1EF4E355F145069E401B7290C7748944CB79

Uniqueness

Uniqueness Score: -1.00%

Function 0246B7C0 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0246B830
GetCurrentThread.KERNEL32 ref: 0246B86D
GetCurrentProcess.KERNEL32 ref: 0246B8AA
GetCurrentThreadId.KERNEL32 ref: 0246B903

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a0e88336dc35bbb730750b59ce6a55408a466c068fa5ff1d90df55fcc8080790
Instruction ID: c9f8185e93c3b0dabeb81cb9173479a9a8f3ffbfbb4600ffb652a6e3603a48ad
Opcode Fuzzy Hash: a0e88336dc35bbb730750b59ce6a55408a466c068fa5ff1d90df55fcc8080790
Instruction Fuzzy Hash: D95166B0A042448FDB14CFA9DA487AEBBF0FF48308F14849AE559B7350D7745988CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0246B7D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0246B830
GetCurrentThread.KERNEL32 ref: 0246B86D
GetCurrentProcess.KERNEL32 ref: 0246B8AA
GetCurrentThreadId.KERNEL32 ref: 0246B903

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6375ff521466df11520be55a5f38f3098a8c38b687f3735e0815d15afca6e48e
Instruction ID: 86a695c17efa6f5d7a68e23816ea6bbdbd4e44eb5230d9d9c1042ad732abc855
Opcode Fuzzy Hash: 6375ff521466df11520be55a5f38f3098a8c38b687f3735e0815d15afca6e48e
Instruction Fuzzy Hash: 815145B0A046088FDB14CFA9DA48BAEBBF1FB48308F20845AE559B7350D7745984CF66

Uniqueness

Uniqueness Score: -1.00%

Function 024694E8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0246972E

Strings

|Nm, xrefs: 0246968B
|Nm, xrefs: 02469666

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: HandleModule
String ID: |Nm$|Nm
API String ID: 4139908857-3440798706
Opcode ID: e0845667f60f30ac5c9e22404f0f51c29047d549f8f4b001e575b407ed0b35f8
Instruction ID: 7a6f21eaf0de8ebacf876257ee784cb8fe73d4b048fc45682246afbe0241afe7
Opcode Fuzzy Hash: e0845667f60f30ac5c9e22404f0f51c29047d549f8f4b001e575b407ed0b35f8
Instruction Fuzzy Hash: 5A711271A00B058FD764DF6AD44476BB7F2BB88304F00892ED44ADBB40DB75E9498F92

Uniqueness

Uniqueness Score: -1.00%

Function 06A6B558 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 06A6B6AB

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0036e56cdea85f331bca085b4773b5dff9f6df21e5cd7bc1f531927f1d3fe44a
Instruction ID: ead2eb84bbfd51362a4a3bb3ca5b6609e92b1be4344d9c44ebf18d79129f3b4b
Opcode Fuzzy Hash: 0036e56cdea85f331bca085b4773b5dff9f6df21e5cd7bc1f531927f1d3fe44a
Instruction Fuzzy Hash: 92512671D053299FDB50DF95C980BDDBBB5BF48304F01809AE908B7250DB759A98CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0246FCEC Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0246FE0A

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 825efb71339072bc1289144e1c87ecdfadd89c7844ab59f159568efd90a8e57b
Instruction ID: c5982bc25f60644387c382c47d0f3d7cf2733decbceb03da2410835d8aae9205
Opcode Fuzzy Hash: 825efb71339072bc1289144e1c87ecdfadd89c7844ab59f159568efd90a8e57b
Instruction Fuzzy Hash: 2951C0B1D003099FDB14CFA9D984ADEBBB5FF88314F25812AE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0246FCF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0246FE0A

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1c1b70925ca2232603bafe2fc8d5092b0160906b349308380b45863e3fa6b29e
Instruction ID: ce5bef3527e641bac9d96b91be12fce0595178ac097e0dceff826805decfe2fa
Opcode Fuzzy Hash: 1c1b70925ca2232603bafe2fc8d5092b0160906b349308380b45863e3fa6b29e
Instruction Fuzzy Hash: 0241B0B1D003099FDB14CF99D984ADEBFB5FF48314F25812AE819AB210D774A985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06A6BF08 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06A6BF95

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7d972df0afe96eb921b66aaf3ca5a9c4f06538c55c65ab7f269f26ce4c8d0b52
Instruction ID: 9c176810e95b9cb641dd24c25dc0f9a2a6342e2a8c711634ac6142e03fe55e46
Opcode Fuzzy Hash: 7d972df0afe96eb921b66aaf3ca5a9c4f06538c55c65ab7f269f26ce4c8d0b52
Instruction Fuzzy Hash: C42100B5A002499FCB10CF9AD885BDEBBF4FF48314F00842AE919E7250D778A954CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0246BDF8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0246BE87

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0b835d48a849083eb96dcefd4093f6b31eeb6e3def0f52f0690beb529ed809ac
Instruction ID: 2c29cc89c645116f384423d5325f1bc8cfdcbd00dcf3624d6d97c780da54dd9f
Opcode Fuzzy Hash: 0b835d48a849083eb96dcefd4093f6b31eeb6e3def0f52f0690beb529ed809ac
Instruction Fuzzy Hash: 422125B59042499FDB10CFAAD984ADEFBF4FB48324F14841AE914B3310C378A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0246BE00 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0246BE87

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0ec531059ad6c397457910919a4dc70c712c2344a063e7df13cc98ee4382de59
Instruction ID: f1aa525ef3080672d62c4448e216a9f9e0e47a3c56036ce0e251e76677cff18f
Opcode Fuzzy Hash: 0ec531059ad6c397457910919a4dc70c712c2344a063e7df13cc98ee4382de59
Instruction Fuzzy Hash: 7421E4B59042089FDB10CF9AD984AEEFBF8FB48324F14841AE914B3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A6BD90 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06A6BE0F

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5f3af16dd8bba70e38003e8f1f8507a7bf41be86a7ea0cd32c4d80c0af6f4b8f
Instruction ID: 6097903ac6e8a85a0bf39084ef019e0605d2b94790f3720bfe53647974a6e02f
Opcode Fuzzy Hash: 5f3af16dd8bba70e38003e8f1f8507a7bf41be86a7ea0cd32c4d80c0af6f4b8f
Instruction Fuzzy Hash: D621E3B59052599FCB10CF9AD984BDEFBF4FB48320F10842AE918A7250D378A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06A6BCD0 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 06A6BD47

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 751efe9ac9d56d6edbae07e3e8190d5963b6947ef8d9b1e549b3c304a5fdcde1
Instruction ID: f9c45884abc8777318bb40fdf740f35a8ee14bb640e0174f25cbf32b6d5b4458
Opcode Fuzzy Hash: 751efe9ac9d56d6edbae07e3e8190d5963b6947ef8d9b1e549b3c304a5fdcde1
Instruction Fuzzy Hash: E5213871D042599FCB00CF9AD9457EEFBF4BB48214F00812AE518B7240D778A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A65548 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06A655C3

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c6fa54867de6b1336d2b7c72f2080573ad3f800d461c8ff32edab60fe558f2fb
Instruction ID: b2ecb3c92cd4c613d997300e2d7dd0f26244bf47f415ee6113cb7a1e514f136a
Opcode Fuzzy Hash: c6fa54867de6b1336d2b7c72f2080573ad3f800d461c8ff32edab60fe558f2fb
Instruction Fuzzy Hash: 9B213675D042499FCB10CF9AC884BDEFBF4FB48324F108429E459A7640D378A644CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02469949 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,024697A9,00000800,00000000,00000000), ref: 024699BA

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: acd299421c5efff3763b8f3a6fb6f5a7181d039efed613c083003fedd0e02f08
Instruction ID: 4f9044e35df5572458fbe6355e674eb9dd5fb07e3340420a51361175e04dbc05
Opcode Fuzzy Hash: acd299421c5efff3763b8f3a6fb6f5a7181d039efed613c083003fedd0e02f08
Instruction Fuzzy Hash: 611117B69042098FDB10CF9AD584BDEFBF4EB48324F15842ED455A7340C378A549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06A65550 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 06A655C3

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 231bc08b888d2e9cc8a014ab88e78e6b153b335d6d5d1a02a36d6dc3fc3ed2f8
Instruction ID: 6065a35412d1e7ef114654c32c4d84421c0d29aa0cc64fd890a3ca2df2bd5dc8
Opcode Fuzzy Hash: 231bc08b888d2e9cc8a014ab88e78e6b153b335d6d5d1a02a36d6dc3fc3ed2f8
Instruction Fuzzy Hash: 512126B5D042499FCB10CF9AC984BDEFBF8FB48320F108429E959A7240D778A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02468890 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,024697A9,00000800,00000000,00000000), ref: 024699BA

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9d11dafddfae6bfc3837e527d2d167e16e4e9b9e0d6040bcb2e3e5d0e40e9aa4
Instruction ID: c63e44d696af6ab6f86b4b86e6f13a99db64d038c589d410271491e374162eea
Opcode Fuzzy Hash: 9d11dafddfae6bfc3837e527d2d167e16e4e9b9e0d6040bcb2e3e5d0e40e9aa4
Instruction Fuzzy Hash: AA11F2B69042099FDB10CF9AD548BEEBBF4AB88214F05842ED519A7300C3B4A949CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06A6BE60 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06A6BECB

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8b50fd7bdbcc0a1813d2d37f3344540ded732df09817407ca7e202261d9810f6
Instruction ID: cefee70f08fc5e82069b47fb2b8d34affd8de8bcc54f6f0a5126021032619c37
Opcode Fuzzy Hash: 8b50fd7bdbcc0a1813d2d37f3344540ded732df09817407ca7e202261d9810f6
Instruction Fuzzy Hash: 2D1125B59042489FCB10CF9AD884BDFBBF8FB48324F108419E529A7210C375A554CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A6B918 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06A6C43D

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0bacaa2e3b1390ae28d3c44c1704a6ba0ad273ce1c85da3a2f2cef003414f0fd
Instruction ID: e828b231adf02b71bd1f6ab7e21c45b3fbb7526dfa04e63112ccaf8d4c207412
Opcode Fuzzy Hash: 0bacaa2e3b1390ae28d3c44c1704a6ba0ad273ce1c85da3a2f2cef003414f0fd
Instruction Fuzzy Hash: 4C1106B59043489FDB10DF9AD889BEEFBF8FB48324F10841AE555A7200D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 024696C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0246972E

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d09ffdee0d626d2cfa581f0996e86c724923751e6c98ea3c5c81985868d42b6d
Instruction ID: 88f1e31a1e4c33f742ccbc5e48e3cc70b60eca6dbcd95b6df62ed2876710ccc9
Opcode Fuzzy Hash: d09ffdee0d626d2cfa581f0996e86c724923751e6c98ea3c5c81985868d42b6d
Instruction Fuzzy Hash: F21102B5D006498FDB10CF9AD448ADFFBF4AB88224F15841AD419A7200D374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0246FF38 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0246FF9D

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: ede44306e0affde0993112c6d0e298664ae1d4cf384ecd936448af542c9f5f4f
Instruction ID: b078e369f8f36f2960a34f076ea1e8af590ea1adeba1ea16f08c7801df02025e
Opcode Fuzzy Hash: ede44306e0affde0993112c6d0e298664ae1d4cf384ecd936448af542c9f5f4f
Instruction Fuzzy Hash: 141136B59002498FDB10CF99D585BDFFBF4FB48324F11841AE855A3640C374A548CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0246FF40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0246FF9D

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1de9d4835ad9e386658727519e594604bf23f1efd4ae3123329617851cb967d6
Instruction ID: c35bec1a6bb236cb14ced7b9ff68a1d527d8723d889ef24e309c09d6b28c2b7f
Opcode Fuzzy Hash: 1de9d4835ad9e386658727519e594604bf23f1efd4ae3123329617851cb967d6
Instruction Fuzzy Hash: FF1103B59042089FDB10CF99D589BDFBBF8EB48324F11841AE955A3740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A6C0C0 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06A6C11F

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e6de647a6e94c073aece29014b79fd3d7ca08a9792014706429d2aeba8bf7fe7
Instruction ID: 28702523373187e5858f946674b6f6117f242b7a6c1c22851d5afbc28a061f4e
Opcode Fuzzy Hash: e6de647a6e94c073aece29014b79fd3d7ca08a9792014706429d2aeba8bf7fe7
Instruction Fuzzy Hash: 201153B19042488FCB10CF9AD884BDEFBF8FB48324F10841AD519B3200D378A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 006CD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294957323.00000000006CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126a0d80ef7f81fb0c9b3e76f9a04a46ef52aa4e50e55694cf45e2e06202ef21
Instruction ID: 0c1747bdb384c5c231f467b7a42d9451c2214f87eb1411f3d8239edc370b8fab
Opcode Fuzzy Hash: 126a0d80ef7f81fb0c9b3e76f9a04a46ef52aa4e50e55694cf45e2e06202ef21
Instruction Fuzzy Hash: 0221F1B1508244EFDB05DF14D9C0F66BBA6FB88328F24C57DE9054A256C336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295004144.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef7d8c4e83ed101fe2dcf398e5dd3c9a05b3fa656a428a5cb87c23c1bae6c67
Instruction ID: 6d95ecbd59ba0c7dd491088ed3c003911ac30da5740aa59b185a1e18e3d2e8ad
Opcode Fuzzy Hash: 1ef7d8c4e83ed101fe2dcf398e5dd3c9a05b3fa656a428a5cb87c23c1bae6c67
Instruction Fuzzy Hash: 7421D775908244DFDB14EF14D9C4B26BB66FBC8314F24C56AD9094B346C376D847CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 006DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295004144.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a86f65679f07841eb1a8a22c8957b159a266ac78c3ba5218ecb2f3ca5168651
Instruction ID: 5fcd97ea203b29f1d4c838f399b8227a39083c8fdb80ead282f9d2a6c30a7fcf
Opcode Fuzzy Hash: 9a86f65679f07841eb1a8a22c8957b159a266ac78c3ba5218ecb2f3ca5168651
Instruction Fuzzy Hash: 11212971908244EFDB01EF50D9C0F26BBA6FB88314F24C5AEEA094B346C336D946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 006DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295004144.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dcd19002458a88b7cf9376650ebf8710fda6e56ffe83614dca2a9a28553225b
Instruction ID: 779d2381fe6ed5cc8173d0816a903491eb4e9c4c17b4e159f0a287f0ba92fd09
Opcode Fuzzy Hash: 7dcd19002458a88b7cf9376650ebf8710fda6e56ffe83614dca2a9a28553225b
Instruction Fuzzy Hash: F82171755083809FCB02DF24D994751BF71EB86314F28C5DAD8458B397C33A9856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 006CD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294957323.00000000006CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd45df645f4a8ea0696ff541091910f0911980562d29522548271fd63a809da
Instruction ID: b6d82a175945c05597582235b53acf624cd430a46fce1548954e1f7bfaabe5d5
Opcode Fuzzy Hash: 7cd45df645f4a8ea0696ff541091910f0911980562d29522548271fd63a809da
Instruction Fuzzy Hash: 1211B176904280DFCB12CF14D5C4B66BF72FB84324F24C6ADD9050B656C336D85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 006DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.295004144.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed02e3589a6c9689257582ffec95221d783e0c36bebb138d43ff1c22c0bf5f0
Instruction ID: a4a6f96dfa01405e9165127dcbbd85cff8e47f3d3ffeba2c69f2fdcc92038b7d
Opcode Fuzzy Hash: 2ed02e3589a6c9689257582ffec95221d783e0c36bebb138d43ff1c22c0bf5f0
Instruction Fuzzy Hash: D311BB75904280DFCB01DF10C5C0B55BBB2FB84324F28C6AAD9494B756C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 006CD76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294957323.00000000006CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7326a94e1d5d7110fd48bf64077ff4af6cd29cc1e55544fee743b0a23ec567
Instruction ID: e79d48c2827f8cd9ec574c320bc870f616aab65251f1b07139a808ff8e7a530e
Opcode Fuzzy Hash: 5c7326a94e1d5d7110fd48bf64077ff4af6cd29cc1e55544fee743b0a23ec567
Instruction Fuzzy Hash: 9101A27150C384AEE7104A16DD85FB6FBDCEF41368F19846EEE055A686C3789884CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 006CD76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.294957323.00000000006CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b3a7e5dd1eff79293745fb302340228369c3deb6274b02f19e72659aa1484d
Instruction ID: 613d730eed6588488fe3b1be3a6edfd4eba677ddde0836f420da6f642e0e5c0a
Opcode Fuzzy Hash: f3b3a7e5dd1eff79293745fb302340228369c3deb6274b02f19e72659aa1484d
Instruction Fuzzy Hash: E1F06D71508384AEEB108A16DC85BB2FB9CEB81774F18C46AED085B686C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 06A61DE0 Relevance: 3.9, Strings: 3, Instructions: 173COMMON

Download Yara Rule

Strings

ySy, xrefs: 06A61F25
-fN, xrefs: 06A61FBA
`RUP, xrefs: 06A62004

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: -fN$`RUP$ySy
API String ID: 0-247820568
Opcode ID: 1852640c07e74bf54fed0d7b50b164347f93798503b811082b27321675b47abf
Instruction ID: e7910eedb84410e189fb2911c43e2398884ffa0e1ddc9db968ccce18e2015289
Opcode Fuzzy Hash: 1852640c07e74bf54fed0d7b50b164347f93798503b811082b27321675b47abf
Instruction Fuzzy Hash: EE71E274E15219CFDB44CFAAC5805EEFBF2EB89214F28942AE415F7224D7349A428B64

Uniqueness

Uniqueness Score: -1.00%

Function 06A61DD0 Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

ySy, xrefs: 06A61F25
-fN, xrefs: 06A61FBA
`RUP, xrefs: 06A62004

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: -fN$`RUP$ySy
API String ID: 0-247820568
Opcode ID: 45595bf547ec2f3af787d3eba07ba16d14059c40cf6fc8664107f688ff4cc521
Instruction ID: 495c06100ffbcaf1cb12c3c2530c31f03efd598ee8876af37a0c4afa0bb80510
Opcode Fuzzy Hash: 45595bf547ec2f3af787d3eba07ba16d14059c40cf6fc8664107f688ff4cc521
Instruction Fuzzy Hash: 6171F374E15219CFDB44CFAAC5805EEFBF2EF89214F28946AE415F7224D3349E428B64

Uniqueness

Uniqueness Score: -1.00%

Function 06A66200 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

JE+d, xrefs: 06A6627A

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: JE+d
API String ID: 0-2668851270
Opcode ID: 087a7183d9153cae553ea333d0d6a3d275fdcc8349481b21c0a9212d73fff4d6
Instruction ID: 056e46bb8e85043be13d173960dd80018694ce4c11cf644acf3e4ad06d4e8716
Opcode Fuzzy Hash: 087a7183d9153cae553ea333d0d6a3d275fdcc8349481b21c0a9212d73fff4d6
Instruction Fuzzy Hash: 23916BB4E04219CFDB54DFAAC980AADFBB2FB89304F14D1A9E408AB355D7309941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06A661F8 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

JE+d, xrefs: 06A6627A

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: JE+d
API String ID: 0-2668851270
Opcode ID: c03c8268a95851e8d3d2c52f97aef83e3e89f0ed002652bffe3bc970e57b89d7
Instruction ID: 119c5c5ca14ce9b2ebcaca0cf7e4374076169f5197381cb2cc0de589e29a8472
Opcode Fuzzy Hash: c03c8268a95851e8d3d2c52f97aef83e3e89f0ed002652bffe3bc970e57b89d7
Instruction Fuzzy Hash: 1E915CB4E052198FDB54DFAAC980AAEFBF2FB89304F14D169E408AB355D7309941CF61

Uniqueness

Uniqueness Score: -1.00%

Function 06A69330 Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

bTp, xrefs: 06A69408

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: bTp
API String ID: 0-1047882121
Opcode ID: c35ba65e9cbea04f114e54603199e7f85da8c9cdf9b04e82b66256a15086332c
Instruction ID: aa27a08ba95ce371dede12d56bfc3c9d0bdaf831c0ec2a643a96b0ad1e74bec1
Opcode Fuzzy Hash: c35ba65e9cbea04f114e54603199e7f85da8c9cdf9b04e82b66256a15086332c
Instruction Fuzzy Hash: 43713678E0520ACFDB44DFAAD5845EEFBF2EB89310F10942AE419B7254E7349902CF95

Uniqueness

Uniqueness Score: -1.00%

Function 06A69323 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

bTp, xrefs: 06A69408

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID: bTp
API String ID: 0-1047882121
Opcode ID: a3ea62db9ce49cd59d65cf06ff57f34f1f5f3e5ae50b85804d8d2d1d92c13ddd
Instruction ID: 645f2c050abfa06b685bb423cb741fc2857a861c74ef62cb0dda1174c8698428
Opcode Fuzzy Hash: a3ea62db9ce49cd59d65cf06ff57f34f1f5f3e5ae50b85804d8d2d1d92c13ddd
Instruction Fuzzy Hash: FF712378E0520ACFCB44DFAAD5845EEFBB2EB89310F10942AE415B7254E7349A02CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0246E580 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803edf5674d159dd096c4d38c278318bcf1fc16904284b6b3ff38a22c3db6a4d
Instruction ID: 1fc2b4d27a28c0a1fe7bebcc008314f058805a08d736f05ab8fb392ea4ac3f35
Opcode Fuzzy Hash: 803edf5674d159dd096c4d38c278318bcf1fc16904284b6b3ff38a22c3db6a4d
Instruction Fuzzy Hash: A51291B1D11B468AE310CFB5ED9C1893BA1B785368B90C328D2692AAF1D7F411CBCF44

Uniqueness

Uniqueness Score: -1.00%

Function 0246BCF4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63880ef8a9aaa33be6a4184496bcc239f9b134261e3f0e276a19031a540b87fa
Instruction ID: dc84e8455ede890c8a766f19f2ede7cb20dbe6499db7327a22d95897bc0c0cc8
Opcode Fuzzy Hash: 63880ef8a9aaa33be6a4184496bcc239f9b134261e3f0e276a19031a540b87fa
Instruction Fuzzy Hash: 2DA17032F10619CFCF05DFA5C8485EEBBB2FF89304B15816AE905AB225DB31A946CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0246E570 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.296666741.0000000002460000.00000040.00000800.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2460000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 218b599fc072c05f7985695a4e55108fcc83a230dd4f028c1e3a1118cd7a4a2d
Instruction ID: a75f65ebaa397ce5709bacf25fe430db5a47b31d7435293b9eae375b01561ddc
Opcode Fuzzy Hash: 218b599fc072c05f7985695a4e55108fcc83a230dd4f028c1e3a1118cd7a4a2d
Instruction Fuzzy Hash: C5C1F8B1D11B468AE710CFB5EC881897BA1BB85368F50C328D2696B6E0E7F451CBCF54

Uniqueness

Uniqueness Score: -1.00%

Function 06A67230 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4eb3ba299b3f43696aa1728e74959a88b555b3dfe40fcc10b84680f06d1d0a
Instruction ID: 125bcf86b836dd1ac6ddab48622a34abdf77f58a9e7ff8c2f1bb920e5b5a88c4
Opcode Fuzzy Hash: 9c4eb3ba299b3f43696aa1728e74959a88b555b3dfe40fcc10b84680f06d1d0a
Instruction Fuzzy Hash: DA613770E1421ACFDB44DFAAC4809AEFBF2EB89314F14D469E514B7254D734DA818FA0

Uniqueness

Uniqueness Score: -1.00%

Function 06A6722F Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b16a41df572459b720ef3b8fce6271cf17452e1a6a22eb7286bb9ecba39b20
Instruction ID: 6f3d1200ba1cc688a578ff944452214d7312644221fd947d1517a5110731b122
Opcode Fuzzy Hash: b0b16a41df572459b720ef3b8fce6271cf17452e1a6a22eb7286bb9ecba39b20
Instruction Fuzzy Hash: 28614774E1424A8FDB44DFAAC4809AEFBF2EB89314F14D469E514B7354D734DA418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 06A671CC Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18918e3ed85677f356b0767331e99a4d1fa947a59640cb1ee50f7944cefb7f4
Instruction ID: c0d80733c794a5da46303117761ef634f7352a2422f6ab363ed9c73631af2ae9
Opcode Fuzzy Hash: d18918e3ed85677f356b0767331e99a4d1fa947a59640cb1ee50f7944cefb7f4
Instruction Fuzzy Hash: A0615774E1424ACFDB44DFAAC4809AEFBF2AB89314F14D46AE514B7354D734DA818FA0

Uniqueness

Uniqueness Score: -1.00%

Function 06A60A68 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d1595d0c6edeb980f353d8815b09128b508a7dda8cdcb5e9292f5b0ac64d67
Instruction ID: 36816abb1907da978485962afb07c559ca1ce78aea91c348b0e4c7db654b5bdb
Opcode Fuzzy Hash: 94d1595d0c6edeb980f353d8815b09128b508a7dda8cdcb5e9292f5b0ac64d67
Instruction Fuzzy Hash: 8C61CD74E112099FCB48CF9AD58499EFBF1FF89210F15C56AE429AB321D734A981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06A60A58 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda32c695a67ecb284c8cbfd0943918fa267862ca84933f2d12c9291e34e4050
Instruction ID: 219185d244e5497850b79db14e8a6ea3a6daf5c0af892f75ee422a7390232ab0
Opcode Fuzzy Hash: cda32c695a67ecb284c8cbfd0943918fa267862ca84933f2d12c9291e34e4050
Instruction Fuzzy Hash: 8661CF74E112099FCB88CF9AD58499EFBF1FF89210F15C56AE419AB321D734A981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06A61818 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4347c718503fbae10234e7f42a1d875fd7220922f2ea6e2a635c6087759c0cc
Instruction ID: 72c4d74cb2bba6e460f7ba9d99018595d9f93a9164351dcf89676bc871df2ae8
Opcode Fuzzy Hash: b4347c718503fbae10234e7f42a1d875fd7220922f2ea6e2a635c6087759c0cc
Instruction Fuzzy Hash: 596117B1E0424A9FDB44DFAAC5815EEFFB2FF89304F14815AE415A7214D734AA42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 06A61808 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12f0797014011312c40dc9ad13485ca2939b8863ddaa95062d1072f8ad4e3126
Instruction ID: bb983e71f57789d31a3451b05b329a6a155a9a3ae5602f83db1d8c9b54f34c71
Opcode Fuzzy Hash: 12f0797014011312c40dc9ad13485ca2939b8863ddaa95062d1072f8ad4e3126
Instruction Fuzzy Hash: 775125B1E0524A9FDB44DFAAC5815EEFFF2EF89300F14806AE415A7254D734AA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06A61B88 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0b04dbb737db0081599b6ba8b7ed013f7a268b6eed1b6f495775df9efed046
Instruction ID: a51e5283b5c46fdef889446bfbaab10726454d1a05f90baac05843e146375cc1
Opcode Fuzzy Hash: 5c0b04dbb737db0081599b6ba8b7ed013f7a268b6eed1b6f495775df9efed046
Instruction Fuzzy Hash: 4A51F870E0420ACFDB48DFABC5815EEFBF2AB89314F24C46AD515AB254E7349A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 06A61B87 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e90d5ddbd2abe8475f7472c7636ce0f4cb623b77af80fc6003150ea2f533e7b
Instruction ID: 88fc5037554a9900bc8d698d2cbd0ec6356dac0ca3f23c47af1addff3d861919
Opcode Fuzzy Hash: 8e90d5ddbd2abe8475f7472c7636ce0f4cb623b77af80fc6003150ea2f533e7b
Instruction Fuzzy Hash: 19410974E0420ACFDB48DFAAC5815AEFBF2AB89304F14C46AD515AB354E7349A418F94

Uniqueness

Uniqueness Score: -1.00%

Function 06A62070 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb697eea42ba07e12c1a0ece8784bf17486a35308928147e52631712520389d2
Instruction ID: ba9c8f73d9ecaf40d3fd26e30eec75dc5b743906be3c1a584f51e4856ea306ad
Opcode Fuzzy Hash: cb697eea42ba07e12c1a0ece8784bf17486a35308928147e52631712520389d2
Instruction Fuzzy Hash: 0F410AB4E0520ADFDB48DFA6C5815AEFBB2BB88300F24D069D515B7214D7319B41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06A62DB8 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21667a0025a20f4df9ec1d799b21b522f9437d207fef1491891bf428abe601e9
Instruction ID: f413cc0b1236b0e835c19a5e40c570899abc0308f160b636704ecd6274a650ac
Opcode Fuzzy Hash: 21667a0025a20f4df9ec1d799b21b522f9437d207fef1491891bf428abe601e9
Instruction Fuzzy Hash: 91417F71E056188BEB58DF6B8D4539EFBF3BFC9304F14C1BA950CA6214EB300A858E51

Uniqueness

Uniqueness Score: -1.00%

Function 06A6206F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f2d7d648fd12308ebd8467fdfdcd86b272527836c19a7f09e7773bbb69c6f26
Instruction ID: 3b5d5a4d758ea94b89f445616ad7351cd0ea8ebb4e6063d54a783ec4da024435
Opcode Fuzzy Hash: 0f2d7d648fd12308ebd8467fdfdcd86b272527836c19a7f09e7773bbb69c6f26
Instruction Fuzzy Hash: 0541E8B4E0520ADFDB48DFA6C5815AEFBF2BB88300F24D06AD515A7218D7319B41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 06A62248 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecb529a12211f80c9bf3c389ec738c1de8df5f22d0d988042803bc22ab2162b
Instruction ID: 6c8be14081e78da827dfe0ab00e8e7d4092166afd1daf7944f7e285f3413aa6c
Opcode Fuzzy Hash: 3ecb529a12211f80c9bf3c389ec738c1de8df5f22d0d988042803bc22ab2162b
Instruction Fuzzy Hash: 8821E9B1E146199BEB58CFABD84469EFBF3BFC8200F04C57AD818A6214EB3446428F51

Uniqueness

Uniqueness Score: -1.00%

Function 06A6AE60 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99674c6539d577bc34fbba5948b0dcca1a9fbe6d2a8ea8b3a36b6eb0bf0410d
Instruction ID: f693c72bf2bc148e0601028a436bd3ad49356433f43490c413ee5927ca2b4e83
Opcode Fuzzy Hash: c99674c6539d577bc34fbba5948b0dcca1a9fbe6d2a8ea8b3a36b6eb0bf0410d
Instruction Fuzzy Hash: 2E210471E116198BDB58CFABD9406AEFBF7EBC9210F14C16AE518B7254DB304A018FA1

Uniqueness

Uniqueness Score: -1.00%

Function 06A6750B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.302448362.0000000006A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6a60000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a474e8273d73b255334308c49e755c18d06ea3f9df6e81ee0f0a9e72093a643
Instruction ID: 5f5b451ea7a738e795d43bf1c27a36efe579c3da4abfe867249aceb186bb9ce2
Opcode Fuzzy Hash: 1a474e8273d73b255334308c49e755c18d06ea3f9df6e81ee0f0a9e72093a643
Instruction Fuzzy Hash: C1112BB0E156589BDB48CF6BD95169EFBF3EFC9210F14C0BAE408AB255DA304A428F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: New Order.exePID: 6868, Parent PID: 6468COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	325
Total number of Limit Nodes:	46

Executed Functions

Function 00C92020 Relevance: 8.0, APIs: 5, Instructions: 492
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializePointerDeviceInjection.USER32 ref: 00C92411
InitializePointerDeviceInjection.USER32 ref: 00C92463
InitializePointerDeviceInjection.USER32 ref: 00C924C5
InitializePointerDeviceInjection.USER32 ref: 00C92563
InitializePointerDeviceInjection.USER32 ref: 00C925C5
InitializePointerDeviceInjection.USER32 ref: 00C92738

Memory Dump Source

Source File: 00000004.00000002.520825105.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c90000_New Order.jbxd

Similarity

API ID: DeviceInitializeInjectionPointer
String ID:
API String ID: 3161782776-0
Opcode ID: f0fde95e4a20db6fb6bfcf0b1335e4da7206e3ed55a0d9930b39cd5b1a8ca3d0
Instruction ID: 297bf69d9b537fc39cebd52256761f7c792401ea826e5950d14e5f7309ce9656
Opcode Fuzzy Hash: f0fde95e4a20db6fb6bfcf0b1335e4da7206e3ed55a0d9930b39cd5b1a8ca3d0
Instruction Fuzzy Hash: B312BE70A042199FCB14DFA4C858BAEBBF2BF88304F148529E556EB395DB34DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C92D50 Relevance: 3.9, APIs: 2, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.520825105.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c90000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ab03580eb81c8e66b8231cd2c9dec8f3f1c31cd4a0a7b90802ab13668715e2
Instruction ID: d6899aab032ef52e7e1cd5c5dbd7039c9ad0b5dc16e9f6d73ac353a9989e04f4
Opcode Fuzzy Hash: 22ab03580eb81c8e66b8231cd2c9dec8f3f1c31cd4a0a7b90802ab13668715e2
Instruction Fuzzy Hash: 77825930A00649DFCF14CF69C988AAEBBF2BF48314F158559E41ADB2A1D730EE41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00E569C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,00E5E32A), ref: 00E5E417

Strings

d)^, xrefs: 00E5E3CF

Memory Dump Source

Source File: 00000004.00000002.520918753.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_e50000_New Order.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: d)^
API String ID: 1890195054-1943070175
Opcode ID: 59115968b105c693da17d7936b311b80c7d45a0bcc06543337bc39fa3aa96862
Instruction ID: d959e81efb94aafd27f7a000359c2064aaf8e6e89252f0be4be0dd928505d753
Opcode Fuzzy Hash: 59115968b105c693da17d7936b311b80c7d45a0bcc06543337bc39fa3aa96862
Instruction Fuzzy Hash: 811130B1C046599BCB10CF9AD544BEEFBF4EB48324F05856AD918B7240D378AA58CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 00C916C8 Relevance: 3.3, APIs: 2, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializePointerDeviceInjection.USER32 ref: 00C91959
InitializePointerDeviceInjection.USER32 ref: 00C919BF

Memory Dump Source

Source File: 00000004.00000002.520825105.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c90000_New Order.jbxd

Similarity

API ID: DeviceInitializeInjectionPointer
String ID:
API String ID: 3161782776-0
Opcode ID: 66af59d0e8328eda5a044acdc82b0bc06bd24b58a3d10d17c440c22cf4e42257
Instruction ID: 66d97bac45db018cfbbdfe032e34fc2999ec0cdbdb81631738f35c57f9ba2e1c
Opcode Fuzzy Hash: 66af59d0e8328eda5a044acdc82b0bc06bd24b58a3d10d17c440c22cf4e42257
Instruction Fuzzy Hash: B6C10F347082128FDB169B65C899B7E77E2AFC9344F098929E916CB385CF34DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C9ECA8 Relevance: 3.2, APIs: 2, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializePointerDeviceInjection.USER32 ref: 00C9EDE5
InitializePointerDeviceInjection.USER32 ref: 00C9EE44

Memory Dump Source

Source File: 00000004.00000002.520825105.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c90000_New Order.jbxd

Similarity

API ID: DeviceInitializeInjectionPointer
String ID:
API String ID: 3161782776-0
Opcode ID: b3923c6e029f301e0f6ed85e402dba59ee4d874fa5a543fa9a0f6795388990bd
Instruction ID: e7238ce7b2127fffc9a7e54926c07daabdedd9ebe9bfdae4bb19e46002516e9d
Opcode Fuzzy Hash: b3923c6e029f301e0f6ed85e402dba59ee4d874fa5a543fa9a0f6795388990bd
Instruction Fuzzy Hash: CB514935B092404FDB56D77988186BF3BE29FE6304B1A806AE115DB3D6DF34CD0287A2

Uniqueness

Uniqueness Score: -1.00%

Function 00C92618 Relevance: 3.1, APIs: 2, Instructions: 112
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsDialogMessageW.USER32(00000000,?,?,?,?,?), ref: 00C926DD
InitializePointerDeviceInjection.USER32 ref: 00C92738

Memory Dump Source

Source File: 00000004.00000002.520825105.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c90000_New Order.jbxd

Similarity

API ID: DeviceDialogInitializeInjectionMessagePointer
String ID:
API String ID: 2222529534-0
Opcode ID: 75ebe46e3589629ad940a630fc3b557789d52e96ae0a2dd1ca56fb613e693cf4
Instruction ID: d8d57957a81e12a21a509ca02f6bf0ef151c8a6cc3184e326e9790084a5c5772
Opcode Fuzzy Hash: 75ebe46e3589629ad940a630fc3b557789d52e96ae0a2dd1ca56fb613e693cf4
Instruction Fuzzy Hash: 8141CF31A04208AFCF109FA4C848BBEBBF6EF84314F05842AF9659B651D775EE55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00C93E28 Relevance: 2.3, APIs: 1, Instructions: 783
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.520825105.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c90000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec2827a4609cd599df8d89f032f94d068d2ec0b6815543dbff5014d2fbb0416
Instruction ID: c5647b4b68ce57b60390317413cf767bd6bf43bd6c98206a6ecdf2177b523f5e
Opcode Fuzzy Hash: dec2827a4609cd599df8d89f032f94d068d2ec0b6815543dbff5014d2fbb0416
Instruction Fuzzy Hash: 35625434A0811C8FDB24DBA0C951BAEB7B3EF89304F1285A9D10A6B794DF309D85DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00C9A770 Relevance: 2.0, APIs: 1, Instructions: 459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNumaProcessorNode.KERNEL32 ref: 00C9A803

Memory Dump Source

Source File: 00000004.00000002.520825105.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c90000_New Order.jbxd

Similarity

API ID: NodeNumaProcessor
String ID:
API String ID: 2982496373-0
Opcode ID: f510f69df0e43b8ef10d13f93949ebdf46a5fb588fa17ee7e7e4f4acf5b571ad
Instruction ID: 199c05b9541ea1cae2b571bd7f8aab4a94f7950fc17cf713f9b831d3a3dc877e
Opcode Fuzzy Hash: f510f69df0e43b8ef10d13f93949ebdf46a5fb588fa17ee7e7e4f4acf5b571ad
Instruction Fuzzy Hash: 88F1EE30A082058FCF14DB79D9586AE7BF2EF99304F218469E405DB7A1EB34DD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD450 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.521007974.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ead000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f1bbc52bba7ee32d685f2db577e9ca136c351c014578449e4b251d1ff76563
Instruction ID: 8edd1070b5d4b759c3cd709b2b982f5b3a8fba9843a5068d1890d4cd0f73a0de
Opcode Fuzzy Hash: b4f1bbc52bba7ee32d685f2db577e9ca136c351c014578449e4b251d1ff76563
Instruction Fuzzy Hash: B221F471508244DFDB00DF10DDC0B66BB65FB8D328F248569E9065E646C336E855D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD53C Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.521007974.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ead000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c47e327777fe35f0e6951cc99bddc639ea1fdd36b717677410fc243138457fc3
Instruction ID: 8f124d29b8eda4d393abe07b3bbf2ac1f8cec535047f431eec334c336504541c
Opcode Fuzzy Hash: c47e327777fe35f0e6951cc99bddc639ea1fdd36b717677410fc243138457fc3
Instruction Fuzzy Hash: 0F2145B1908244DFCB05DF00DDC0B26BF65FB8C328F2485A8E9066F646C336E856DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.521068420.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ebd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b589b2030f50a0320a35dce1c7b21552f70e584c94c87bf35dcfb65685b009
Instruction ID: 40585e7801de39da15c21ab7543663638069e52327ef50977468cac761430af4
Opcode Fuzzy Hash: f7b589b2030f50a0320a35dce1c7b21552f70e584c94c87bf35dcfb65685b009
Instruction Fuzzy Hash: C021F57550C244DFCB14EF14DDC0B67BB66FB88318F24C5A9D9095B246D336D846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00EBD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.521068420.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ebd000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5630d3abe633faf48bdf81da023adfce4ee6d42bb2bd3f877b865fdd43c9af7
Instruction ID: 5e3325c490e5eaa6a1adc6348510c4a0f7254bd2994694c90678be26a341c059
Opcode Fuzzy Hash: c5630d3abe633faf48bdf81da023adfce4ee6d42bb2bd3f877b865fdd43c9af7
Instruction Fuzzy Hash: A521807550D3C08FCB02CF20D990756BF71EB46314F28C5EAD8498B6A7C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD44B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.521007974.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ead000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd45df645f4a8ea0696ff541091910f0911980562d29522548271fd63a809da
Instruction ID: ec220cfafdeb3da9ab093f8caaf01013a328caaa61a22c52a163414e3a9c70ff
Opcode Fuzzy Hash: 7cd45df645f4a8ea0696ff541091910f0911980562d29522548271fd63a809da
Instruction Fuzzy Hash: CC11B176908280CFDB11CF10D9C4B16BF71FB89328F2486A9D8051B656C336E85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EAD537 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.521007974.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ead000_New Order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd45df645f4a8ea0696ff541091910f0911980562d29522548271fd63a809da
Instruction ID: c6ff74aba0c3fbb3fa991f22a34d2ad44565e28e2a1a6abbed151fefb729b11f
Opcode Fuzzy Hash: 7cd45df645f4a8ea0696ff541091910f0911980562d29522548271fd63a809da
Instruction Fuzzy Hash: 0411D676504280CFCB05CF10D9C4B16BF71FB99324F24C5A9D8055F656C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
New Order.exe

Function 0246B7C0 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Function 0246B7D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 024694E8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 195
COMMON

Function 06A6B558 Relevance: 1.6, APIs: 1, Instructions: 143
processCOMMON

Function 0246FCEC Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Function 0246FCF8 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 06A6BF08 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Function 0246BDF8 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 0246BE00 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 06A6BD90 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON