Edit tour

Windows Analysis Report
New Order.exe

Overview

General Information

Sample Name:	New Order.exe
Analysis ID:	626210
MD5:	faa827279f0932969adb995b977f2a1e
SHA1:	9f836961f492cb7083f29a0c9180c27a7ea406e2
SHA256:	4ff77f4e72dd52708b1612318b205be3c750b6f6956363b6055b524bd89cf3fb
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

New Order.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\New Order.exe" MD5: FAA827279F0932969ADB995B977F2A1E)

New Order.exe (PID: 6868 cmdline: {path} MD5: FAA827279F0932969ADB995B977F2A1E)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.navetesilazi.ro/", "Username": "sunny@navetesilazi.ro", "Password": "u,S2gsd@*K7C"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.519247653.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.292766510.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.292766510.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000000.291441736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.291441736.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2f964:$s10: logins 0x347e78:$s11: credential 0x1dee:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x23d7:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x2923:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401
Process Memory Space: New Order.exe PID: 6468	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: New Order.exe PID: 6468	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: New Order.exe PID: 6868	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: New Order.exe PID: 6868	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: New Order.exe PID: 6868	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x9f0a:$s1: get_kbok 0x30ce6:$s1: get_kbok 0xa78a:$s2: get_CHoo 0x31566:$s2: get_CHoo 0xb325:$s3: set_passwordIsSet 0x32101:$s3: set_passwordIsSet 0x9db6:$s4: get_enableLog 0x30b92:$s4: get_enableLog 0x9226:$g1: get_Clipboard 0x30002:$g1: get_Clipboard 0x9234:$g2: get_Keyboard 0x30010:$g2: get_Keyboard 0x9241:$g3: get_Password 0x3001d:$g3: get_Password 0xa664:$g4: get_CtrlKeyDown 0x31440:$g4: get_CtrlKeyDown 0xa674:$g5: get_ShiftKeyDown 0x31450:$g5: get_ShiftKeyDown 0xa685:$g6: get_AltKeyDown 0x31461:$g6: get_AltKeyDown 0x170a4:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.New Order.exe.3606cd0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.New Order.exe.3606cd0.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.New Order.exe.3606cd0.3.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2ef16:$s1: get_kbok 0x2f84a:$s2: get_CHoo 0x304a5:$s3: set_passwordIsSet 0x2ed1a:$s4: get_enableLog 0x333c3:$s8: torbrowser 0x31d9f:$s10: logins 0x31717:$s11: credential 0x2e10d:$g1: get_Clipboard 0x2e11b:$g2: get_Keyboard 0x2e128:$g3: get_Password 0x2f6f8:$g4: get_CtrlKeyDown 0x2f708:$g5: get_ShiftKeyDown 0x2f719:$g6: get_AltKeyDown
4.2.New Order.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.New Order.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.New Order.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.2.New Order.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
0.2.New Order.exe.24e4ef8.2.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x8558:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x859c:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x85e4:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x8870:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x88d4:$s2: Set-MpPreference -DisableArchiveScanning $true 0x892c:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x8984:$s4: Set-MpPreference -DisableScriptScanning $true 0x89d0:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x8a10:$s6: Set-MpPreference -MAPSReporting 0 0x8a5c:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x8ab4:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x8b04:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x8b54:$s10: Set-MpPreference -SevereThreatDefaultAction 6
4.0.New Order.exe.400000.10.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.10.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.10.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.10.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
4.0.New Order.exe.400000.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.12.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.12.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.12.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
4.0.New Order.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.6.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
4.0.New Order.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.8.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.8.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
4.0.New Order.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.0.New Order.exe.400000.4.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
4.0.New Order.exe.400000.4.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x33b9f:$s10: logins 0x33517:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown 0x31508:$g5: get_ShiftKeyDown 0x31519:$g6: get_AltKeyDown
0.2.New Order.exe.3606cd0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.New Order.exe.3606cd0.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.New Order.exe.3606cd0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.New Order.exe.3606cd0.3.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d16:$s1: get_kbok 0x66b36:$s1: get_kbok 0x3164a:$s2: get_CHoo 0x6746a:$s2: get_CHoo 0x322a5:$s3: set_passwordIsSet 0x680c5:$s3: set_passwordIsSet 0x30b1a:$s4: get_enableLog 0x6693a:$s4: get_enableLog 0x351c3:$s8: torbrowser 0x6afe3:$s8: torbrowser 0x33b9f:$s10: logins 0x699bf:$s10: logins 0x33517:$s11: credential 0x69337:$s11: credential 0x2ff0d:$g1: get_Clipboard 0x65d2d:$g1: get_Clipboard 0x2ff1b:$g2: get_Keyboard 0x65d3b:$g2: get_Keyboard 0x2ff28:$g3: get_Password 0x65d48:$g3: get_Password 0x314f8:$g4: get_CtrlKeyDown
Click to see the 27 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.New Order.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.navetesilazi.ro/", "Username": "sunny@navetesilazi.ro", "Password": "u,S2gsd@*K7C"}

Multi AV Scanner detection for submitted file

Source: New Order.exe	Virustotal: Detection: 37%			Perma Link
Source: New Order.exe	ReversingLabs: Detection: 31%

Machine Learning detection for sample

Source: New Order.exe

Joe Sandbox ML: detected

Source: 4.2.New Order.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 4.0.New Order.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8

Source: New Order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: New Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\New Order.exe

Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h

0_2_06A6D530

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPE

Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ftp://ftp.navetesilazi.ro/sunny
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: New Order.exe, 00000004.00000002.521962296.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255603989.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: New Order.exe, 00000000.00000003.260043589.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263069055.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259679585.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260675550.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259189127.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262944790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262794568.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260575464.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262733473.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.264325169.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: New Order.exe, 00000000.00000003.260043589.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263069055.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259679585.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260675550.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259189127.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262944790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262794568.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260575464.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262733473.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.264325169.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html6
Source: New Order.exe, 00000000.00000003.256313284.00000000053B3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260373768.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260315925.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261719581.00000000053FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlX
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261343363.00000000053FC000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlht
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comG
Source: New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: New Order.exe, 00000000.00000003.267297280.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.294277019.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267521568.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267112661.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261750999.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comaN
Source: New Order.exe, 00000000.00000003.260315925.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdQ
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdb
Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261911453.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261838549.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261930191.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262477906.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262431790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdi
Source: New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260864090.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comdt
Source: New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessedb
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261734967.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261750999.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261690313.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261670238.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessedi
Source: New Order.exe, 00000000.00000003.260403237.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260535172.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comld
Source: New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267112661.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comldvP
Source: New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comlic
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261310707.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261284495.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comoitu
Source: New Order.exe, 00000000.00000003.261536074.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261242239.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261707286.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261615691.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261008326.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261594663.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260864090.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261468260.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261363692.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261487868.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261329710.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261504574.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261054840.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261573979.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261195291.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260945047.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261690313.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261520264.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261402977.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261265180.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260920245.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comony
Source: New Order.exe, 00000000.00000003.267297280.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267127411.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.294277019.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267151398.00000000053F5000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.267521568.00000000053F5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comrsiva
Source: New Order.exe, 00000000.00000003.261800272.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262150037.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262074018.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261962697.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262215325.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261947858.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262371935.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262129266.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261776381.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261982834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262402257.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261911453.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262187348.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262168734.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261997015.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262236657.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262261834.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261838549.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.261930191.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262477906.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.262431790.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comtuta
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: New Order.exe, 00000000.00000003.254695939.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254580619.00000000053E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: New Order.exe, 00000000.00000003.255367660.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255219858.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255017818.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255127554.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255187356.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255151097.00000000053ED000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254970898.00000000053EF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.255136855.00000000053EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/L;;
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: New Order.exe, 00000000.00000003.254695939.00000000053EA000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.254580619.00000000053E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt
Source: New Order.exe, 00000000.00000003.263291014.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: New Order.exe, 00000000.00000003.263269630.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263528813.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263370715.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263353480.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263502565.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263983826.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.263291014.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: New Order.exe, 00000000.00000003.256813993.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256855458.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256943522.00000000053E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/#
Source: New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258296537.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258296537.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.256943522.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Gras
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/N
Source: New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259597195.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260131394.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259941673.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259443452.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258929215.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259855092.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.260100966.00000000053F3000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.259361235.00000000053F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: New Order.exe, 00000000.00000003.257146126.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257263804.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257046797.00000000053E9000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257543837.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257483589.00000000053F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ue
Source: New Order.exe, 00000000.00000003.257696041.00000000053F2000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257978806.00000000053EE000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.257924602.00000000053F0000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000000.00000003.258046006.00000000053EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/wa
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: New Order.exe, 00000000.00000003.255250488.00000000053BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.
Source: New Order.exe, 00000000.00000003.255146264.00000000053EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: New Order.exe, 00000000.00000003.254052864.00000000053C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com;
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: New Order.exe, 00000000.00000002.301860506.0000000006642000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ySmlPP.com
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gp8eppjNNQTPw.net
Source: New Order.exe, 00000004.00000003.502947482.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gp8eppjNNQTPw.net853321935-2125563209-4053062332-1002_Classes
Source: New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp, New Order.exe, 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp, New Order.exe, 00000004.00000000.290944064.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: New Order.exe, 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: New Order.exe, 00000000.00000002.295210516.000000000080A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.New Order.exe.3606cd0.3.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.New Order.exe.24e4ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: New Order.exe PID: 6868, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New Order.exe

.NET source code contains very large array initializations

Source: 4.2.New Order.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.cs	Large array initialization: .cctor: array initializer size 11948
Source: 4.0.New Order.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.cs	Large array initialization: .cctor: array initializer size 11948
Source: 4.0.New Order.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.cs	Large array initialization: .cctor: array initializer size 11948
Source: 4.0.New Order.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b04ABEA9Cu002dD42Du002d49B5u002dA531u002d8B2C266481EEu007d/u00373E4875Au002d7B70u002d4F11u002dBD68u002d29AE886A5E85.cs	Large array initialization: .cctor: array initializer size 11948

Source: New Order.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0.2.New Order.exe.3606cd0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.2.New Order.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.New Order.exe.24e4ef8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 4.0.New Order.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.New Order.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.New Order.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.New Order.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.New Order.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.New Order.exe.3606cd0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000004.00000002.521456203.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: New Order.exe PID: 6868, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0246E570	0_2_0246E570
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0246E580	0_2_0246E580
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_0246BCF4	0_2_0246BCF4
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69618	0_2_06A69618
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A65658	0_2_06A65658
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A62250	0_2_06A62250
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A66B28	0_2_06A66B28
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69898	0_2_06A69898
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69617	0_2_06A69617
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6AE60	0_2_06A6AE60
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A65648	0_2_06A65648
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A62DB8	0_2_06A62DB8
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61DE0	0_2_06A61DE0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61DD0	0_2_06A61DD0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6750B	0_2_06A6750B
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69AEA	0_2_06A69AEA
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6722F	0_2_06A6722F
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A67230	0_2_06A67230
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A66200	0_2_06A66200
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A60A68	0_2_06A60A68
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A62248	0_2_06A62248
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A60A58	0_2_06A60A58
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61B87	0_2_06A61B87
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61B88	0_2_06A61B88
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69323	0_2_06A69323
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69330	0_2_06A69330
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69B03	0_2_06A69B03
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A66B18	0_2_06A66B18
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69B61	0_2_06A69B61
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A69B45	0_2_06A69B45
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6988B	0_2_06A6988B
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61808	0_2_06A61808
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A61818	0_2_06A61818
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A6206F	0_2_06A6206F
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A62070	0_2_06A62070
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A661F8	0_2_06A661F8
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_06A671CC	0_2_06A671CC
Source: C:\Users\user\Desktop\New Order.exe	Code function: 0_2_00062050	0_2_00062050
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C9C0A0	4_2_00C9C0A0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C92020	4_2_00C92020
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C92D50	4_2_00C92D50
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C92768	4_2_00C92768
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C9F308	4_2_00C9F308
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00C9B920	4_2_00C9B920
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E50040	4_2_00E50040
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E52308	4_2_00E52308
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E59460	4_2_00E59460
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E55EAC	4_2_00E55EAC
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E5EFC8	4_2_00E5EFC8
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E5003D	4_2_00E5003D
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00E543E0	4_2_00E543E0
Source: C:\Users\user\Desktop\New Order.exe	Code function: 4_2_00632050	4_2_00632050

Source: New Order.exe	Binary or memory string: OriginalFilename vs New Order.exe
Source: New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTPojXuVgRwvTuslAVhGVJFKrC.exe4 vs New Order.exe
Source: New Order.exe, 00000000.00000002.298887082.00000000034BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs New Order.exe
Source: New Order.exe, 00000000.00000002.295210516.000000000080A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs New Order.exe
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs New Order.exe
Source: New Order.exe, 00000000.00000002.297102320.00000000024A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTPojXuVgRwvTuslAVhGVJFKrC.exe4 vs New Order.exe
Source: New Order.exe, 00000000.00000003.280367821.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs New Order.exe
Source: New Order.exe, 00000000.00000002.302500433.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs New Order.exe
Source: New Order.exe	Binary or memory string: OriginalFilename vs New Order.exe
Source: New Order.exe, 00000004.00000000.292255451.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTPojXuVgRwvTuslAVhGVJFKrC.exe4 vs New Order.exe
Source: New Order.exe, 00000004.00000002.520356033.0000000000AF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs New Order.exe
Source: New Order.exe	Binary or memory string: OriginalFilenameBHMCc.exe8 vs New Order.exe

Source: New Order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: New Order.exe	Virustotal: Detection: 37%
Source: New Order.exe	ReversingLabs: Detection: 31%

Source: New Order.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New Order.exe "C:\Users\user\Desktop\New Order.exe"
Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Users\user\Desktop\New Order.exe {path}
Source: C:\Users\user\Desktop\New Order.exe	Process created: C:\Users\user\Desktop\New Order.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\New Order.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\New Order.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\New Order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\New Order.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 4.2.New Order.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.New Order.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.New Order.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.New Order.exe.400000.12.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.New Order.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.New Order.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\New Order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\New Order.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: New Order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: New Order.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
New Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New Order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Windows Analysis Report
New Order.exe