Loading ...

Play interactive tourEdit tour

Analysis Report POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Overview

General Information

Sample Name:POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Analysis ID:355200
MD5:afcc0c7f6fadf41949e66c9325b9f843
SHA1:c1562634e7d393b54606731becad8d4d11fcba39
SHA256:7dc65cb43a6491e7da09935a8e8d20c33873fc75e370b9a701aea0a660e85b80
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 2412 cmdline: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' MD5: AFCC0C7F6FADF41949E66C9325B9F843)
    • schtasks.exe (PID: 5592 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 3492 cmdline: {path} MD5: AFCC0C7F6FADF41949E66C9325B9F843)
      • schtasks.exe (PID: 5580 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 5904 cmdline: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' 0 MD5: AFCC0C7F6FADF41949E66C9325B9F843)
    • schtasks.exe (PID: 5704 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4#=qs2bxKs15DbteFYTMsjthM8IIAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x31577:$a: NanoCore
  • 0x315d0:$a: NanoCore
  • 0x3160d:$a: NanoCore
  • 0x31686:$a: NanoCore
  • 0x315d9:$b: ClientPlugin
  • 0x31616:$b: ClientPlugin
  • 0x31f14:$b: ClientPlugin
  • 0x31f21:$b: ClientPlugin
  • 0x276fa:$e: KeepAlive
  • 0x31a61:$g: LogClientMessage
  • 0x319e1:$i: get_Connected
  • 0x219ad:$j: #=q
  • 0x219dd:$j: #=q
  • 0x21a19:$j: #=q
  • 0x21a41:$j: #=q
  • 0x21a71:$j: #=q
  • 0x21aa1:$j: #=q
  • 0x21ad1:$j: #=q
  • 0x21b01:$j: #=q
  • 0x21b1d:$j: #=q
  • 0x21b4d:$j: #=q
00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 12 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x287a1:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x287ce:$x2: IClientNetworkHost
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x287a1:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x2987c:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x287bb:$s5: IClientLoggingHost
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 43 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ProcessId: 3492, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' , ParentImage: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ParentProcessId: 2412, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp', ProcessId: 5592
        Sigma detected: Suspicious Double ExtensionShow sources
        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, NewProcessName: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, OriginalFileName: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' , ParentImage: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ParentProcessId: 2412, ProcessCommandLine: {path}, ProcessId: 3492

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4#=qs2bxKs15DbteFYTMsjthM8IIAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\gVFZdFg.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeJoe Sandbox ML: detected
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49707 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49708 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49709 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49710 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49711 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49712 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49713 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49714 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49715 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49716 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49717 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49718 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49719 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49720 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49721 -> 91.212.153.84:9036
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: shahzad73.ddns.net
        Source: Malware configuration extractorURLs: shahzad73.casacam.net
        Source: global trafficTCP traffic: 192.168.2.3:49704 -> 91.212.153.84:9036
        Source: Joe Sandbox ViewIP Address: 91.212.153.84 91.212.153.84
        Source: Joe Sandbox ViewASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE
        Source: unknownDNS traffic detected: queries for: shahzad73.casacam.net
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.206587822.00000000063F2000.00000004.00000001.sdmpString found in binary or memory: http://en.wB$
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.209891258.0000000006426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com5
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFB
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.209218281.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFM
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueTF
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.205634366.00000000063E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cned
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.205634366.00000000063E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnemM
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.211063461.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/5
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/va
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vno
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.286188722.000000000C020000.00000002.00000001.sdmp, POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.300424422.0000000004893000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b0869.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_00F72050
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AACBBC
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AAEB20
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AAEB30
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_00EB2050
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BEB20
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BEB30
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BCBBC
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057FF008
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057FEFF7
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_008D2050
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_0529E471
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_0529E480
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_0529BBD4
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_053FF5F8
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_053F9788
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_053FA5D0
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: gVFZdFg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeBinary or memory string: OriginalFilename vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000000.200168393.0000000000F72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameG vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeBinary or memory string: OriginalFilename vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeBinary or memory string: OriginalFilename vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.300424422.0000000004893000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b0869.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: gVFZdFg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@15/11@17/1
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile created: C:\Users\user\AppData\Roaming\gVFZdFg.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_01
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c4cca249-81f6-4232-9f14-01569e09f5f0}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\uNbBKzF
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_01
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF515.tmpJump to behavior
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000000.200168393.0000000000F72000.00000002.00020000.sdmpBinary or memory string: select * from Goods where goods_name=@goods_name and goods_type_id=@goods_type_id and goods_code=@goods_code and specifications=@specifications and goods_wight=@goods_wight and goods_volume=@goods_volume and goods_note=@goods_note;SELECT * FROM Goods WHERE id=/select * from GoodsTypeIselect * from GoodsType where id=@idkUPDATE GoodsType SET goods_type=@goods_type where id=
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000000.200168393.0000000000F72000.00000002.00020000.sdmpBinary or memory string: INSERT INTO Client VALUES(@client_name,@client_address,@client_contacts,@client_phone,@client_note); DELETE FROM Client WHERE id=
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile read: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' 0
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp'
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp'
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AAD4C0 push esp; retf
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AADBE0 push eax; iretd
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BD4C0 push esp; retf
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BDBE0 push eax; iretd
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057F4213 pushad ; retf
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057F1DFC push eax; retf
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057FFF58 push eax; mov dword ptr [esp], edx
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_053F69F8 pushad ; retf
        Source: initial sampleStatic PE information: section name: .text entropy: 7.55881445378
        Source: initial sampleStatic PE information: section name: .text entropy: 7.55881445378
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile created: C:\Users\user\AppData\Roaming\gVFZdFg.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile opened: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe:Zone.Identifier read attributes | delete
        Uses an obfuscated file name to hide its real file extension (double extension)Show sources
        Source: Possible double extension: pdf.exeStatic PE information: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWindow / User API: threadDelayed 5363
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWindow / User API: threadDelayed 3996
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWindow / User API: foregroundWindowGot 653
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWindow / User API: foregroundWindowGot 741
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe TID: 160Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe TID: 4260Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe TID: 4708Thread sleep time: -9223372036854770s >= -30000s
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe TID: 5888Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe TID: 5928Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe TID: 160Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.269807401.0000000009DA2000.00000002.00000001.sdmpBinary or memory string: =Qemuy}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeMemory allocated: page read and write | page guard
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp'
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp'
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection11Masquerading11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 355200 Sample: POEA ADVISORY ON DELISTED A... Startdate: 19/02/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 11 other signatures 2->48 8 POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 6 2->8         started        11 POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 4 2->11         started        process3 file4 32 C:\Users\user\AppData\Roaming\gVFZdFg.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Local\...\tmpF515.tmp, XML 8->34 dropped 36 POEA ADVISORY ON D...GENCIES.pdf.exe.log, ASCII 8->36 dropped 13 POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 12 8->13         started        18 schtasks.exe 1 8->18         started        20 schtasks.exe 1 11->20         started        22 POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 2 11->22         started        process5 dnsIp6 40 shahzad73.casacam.net 91.212.153.84, 49704, 49706, 49707 MYLOC-ASIPBackboneofmyLocmanagedITAGDE unknown 13->40 38 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 13->38 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->50 24 schtasks.exe 1 13->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        file7 signatures8 process9 process10 30 conhost.exe 24->30         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        POEA ADVISORY ON DELISTED AGENCIES.pdf.exe9%ReversingLabsByteCode-MSIL.Backdoor.NanoBot
        POEA ADVISORY ON DELISTED AGENCIES.pdf.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\gVFZdFg.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\gVFZdFg.exe9%ReversingLabsByteCode-MSIL.Backdoor.NanoBot

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48128e8.2.unpack100%AviraHEUR/AGEN.1110362Download File
        18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        shahzad73.casacam.net5%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        shahzad73.ddns.net0%Avira URL Cloudsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.tiro.com0%URL Reputationsafe
        http://www.fontbureau.comFB0%Avira URL Cloudsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.goodfont.co.kr0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/50%Avira URL Cloudsafe
        http://www.fontbureau.comFM0%Avira URL Cloudsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.sajatypeworks.com0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.typography.netD0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://fontfabrik.com0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/50%Avira URL Cloudsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
        http://en.wB$0%Avira URL Cloudsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.fontbureau.comgrito0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.sandoll.co.kr0%URL Reputationsafe
        http://www.fontbureau.com50%Avira URL Cloudsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.urwpp.deDPlease0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.zhongyicts.com.cn0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        http://www.sakkal.com0%URL Reputationsafe
        shahzad73.casacam.net0%Avira URL Cloudsafe
        http://www.founder.com.cn/cned0%Avira URL Cloudsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.galapagosdesign.com/0%URL Reputationsafe
        http://www.fontbureau.comue0%Avira URL Cloudsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.fontbureau.comF0%URL Reputationsafe
        http://www.founder.com.cn/cnemM0%Avira URL Cloudsafe
        http://www.fontbureau.comcomd0%URL Reputationsafe
        http://www.fontbureau.comcomd0%URL Reputationsafe
        http://www.fontbureau.comcomd0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/vno0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/M0%Avira URL Cloudsafe
        http://www.fontbureau.comueTF0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.fontbureau.coma0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.carterandcone.coml0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.founder.com.cn/cn0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/va0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/q0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/es-e0%Avira URL Cloudsafe
        http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe
        http://www.jiyu-kobo.co.jp/i0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        shahzad73.casacam.net
        91.212.153.84
        truetrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        shahzad73.ddns.nettrue
        • Avira URL Cloud: safe
        unknown
        shahzad73.casacam.nettrue
        • Avira URL Cloud: safe
        unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.fontbureau.com/designersGPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
          high
          http://www.fontbureau.com/designers/?POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
            high
            http://www.founder.com.cn/cn/bThePOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.fontbureau.com/designers?POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
              high
              http://www.tiro.comPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designersPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                high
                http://www.fontbureau.comFBPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.goodfont.co.krPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.jiyu-kobo.co.jp/jp/5POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.fontbureau.comFMPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.209218281.00000000063E6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.sajatypeworks.comPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.typography.netDPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.founder.com.cn/cn/cThePOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.galapagosdesign.com/staff/dennis.htmPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://fontfabrik.comPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.jiyu-kobo.co.jp/5POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                http://www.galapagosdesign.com/DPleasePOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.jiyu-kobo.co.jp/Y0POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://en.wB$POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.206587822.00000000063F2000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://www.fontbureau.comgritoPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fonts.comPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                  high
                  http://www.sandoll.co.krPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com5POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.urwpp.deDPleasePOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.zhongyicts.com.cnPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.286188722.000000000C020000.00000002.00000001.sdmp, POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.sakkal.comPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.founder.com.cn/cnedPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.205634366.00000000063E4000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.apache.org/licenses/LICENSE-2.0POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                    high
                    http://www.fontbureau.comPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                      high
                      http://www.galapagosdesign.com/POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.211063461.00000000063E6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.comuePOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.comFPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cnemMPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.205634366.00000000063E4000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.comcomdPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/vnoPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/MPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.comueTFPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/jp/POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.comaPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.carterandcone.comlPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cnPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                          high
                          http://www.jiyu-kobo.co.jp/vaPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers/cabarga.htmlPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.209891258.0000000006426000.00000004.00000001.sdmpfalse
                            high
                            http://www.jiyu-kobo.co.jp/qPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/oPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/es-ePOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.jiyu-kobo.co.jp/iPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers8POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpfalse
                              high
                              http://www.fontbureau.comalsPOEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.jiyu-kobo.co.jp/_POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              91.212.153.84
                              unknownunknown
                              24961MYLOC-ASIPBackboneofmyLocmanagedITAGDEtrue

                              General Information

                              Joe Sandbox Version:31.0.0 Emerald
                              Analysis ID:355200
                              Start date:19.02.2021
                              Start time:08:27:44
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 11m 4s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                              Number of analysed new started processes analysed:22
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@15/11@17/1
                              EGA Information:Failed
                              HDC Information:Failed
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .exe
                              Warnings:
                              Show All
                              • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                              • TCP Packets have been reduced to 100
                              • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                              • Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.255.188.83, 104.43.139.144, 184.30.24.56
                              • Excluded domains from analysis (whitelisted): skypedataprdcoleus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, fs.microsoft.com, blobcollector.events.data.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:28:39API Interceptor921x Sleep call for process: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe modified
                              08:29:00Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe" s>$(Arg0)

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              91.212.153.84POEA ADVISORY NO 450 2021.pdf.exeGet hashmaliciousBrowse
                                POEA DELISTED AGENCIES (BATCH A).PDF.exeGet hashmaliciousBrowse
                                  POEA MEMORANDUM N0 056.exeGet hashmaliciousBrowse
                                    Protected.exeGet hashmaliciousBrowse
                                      Protected.2.exeGet hashmaliciousBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        shahzad73.casacam.netPOEA ADVISORY NO 450 2021.pdf.exeGet hashmaliciousBrowse
                                        • 91.212.153.84
                                        POEA DELISTED AGENCIES (BATCH A).PDF.exeGet hashmaliciousBrowse
                                        • 91.212.153.84
                                        POEA MEMORANDUM N0 056.exeGet hashmaliciousBrowse
                                        • 91.212.153.84
                                        Protected.exeGet hashmaliciousBrowse
                                        • 91.212.153.84
                                        Protected.2.exeGet hashmaliciousBrowse
                                        • 91.212.153.84

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        MYLOC-ASIPBackboneofmyLocmanagedITAGDEPOEA ADVISORY NO 450 2021.pdf.exeGet hashmaliciousBrowse
                                        • 91.212.153.84
                                        POEA DELISTED AGENCIES (BATCH A).PDF.exeGet hashmaliciousBrowse
                                        • 91.212.153.84
                                        POEA MEMORANDUM N0 056.exeGet hashmaliciousBrowse
                                        • 91.212.153.84
                                        Swift_Payment_jpeg.exeGet hashmaliciousBrowse
                                        • 62.141.37.17
                                        Protected.exeGet hashmaliciousBrowse
                                        • 91.212.153.84
                                        Protected.2.exeGet hashmaliciousBrowse
                                        • 91.212.153.84
                                        FickerStealer.exeGet hashmaliciousBrowse
                                        • 89.163.225.172
                                        Documentaci#U00f3n.docGet hashmaliciousBrowse
                                        • 89.163.210.141
                                        SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exeGet hashmaliciousBrowse
                                        • 89.163.140.102
                                        TaskAudio Driver.exeGet hashmaliciousBrowse
                                        • 193.111.198.220
                                        Z8363664.docGet hashmaliciousBrowse
                                        • 89.163.210.141
                                        OhGodAnETHlargementPill2.exeGet hashmaliciousBrowse
                                        • 193.111.198.220
                                        godflex-r2.exeGet hashmaliciousBrowse
                                        • 193.111.198.220
                                        PolarisBiosEditor-master.exeGet hashmaliciousBrowse
                                        • 193.111.198.220
                                        NKsplucdAu.exeGet hashmaliciousBrowse
                                        • 85.114.134.88
                                        lZVNh1BPxm.exeGet hashmaliciousBrowse
                                        • 85.114.134.88
                                        qG5E4q8Cv5.exeGet hashmaliciousBrowse
                                        • 85.114.134.88
                                        SecuriteInfo.com.BehavesLike.Win32.Generic.cc.exeGet hashmaliciousBrowse
                                        • 85.114.134.88
                                        http://lecomptoirdusushi.com/commandes/menu-sushi-saumon/Get hashmaliciousBrowse
                                        • 81.30.158.195
                                        klzBd4IEfv.exeGet hashmaliciousBrowse
                                        • 85.114.134.130

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.log
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.355304211458859
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                        C:\Users\user\AppData\Local\Temp\tmp5650.tmp
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1640
                                        Entropy (8bit):5.1929793820733705
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBrrtn:cbh47TlNQ//rydbz9I3YODOLNdq3lp
                                        MD5:777992096A9A67A264806BC484673046
                                        SHA1:B3ABDCA7929B2F4177810B5DCB140B168B9C0F88
                                        SHA-256:83AB2C79DD7FDD193DA964ADD86534E8EC7D0EC73485107B44DE9453D15A6974
                                        SHA-512:04754FFEFF30AA98F34EF3E0CDBE2B1BE5FF484365F95438350D7F2FB24CF7287F22AA85F6411F8902A84325BA0B5A64643D9C76CECD9B9C38E5DC51F454B0DC
                                        Malicious:false
                                        Reputation:low
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Local\Temp\tmpA223.tmp
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1328
                                        Entropy (8bit):5.143109702372082
                                        Encrypted:false
                                        SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mw4mrYxtn:cbk4oL600QydbQxIYODOLedq3sxrYj
                                        MD5:DB01E81FC21BAD2017D4CB7505FF46F7
                                        SHA1:B5B5BF431C4C0E36EBA26B235FA9A7632F3CAE94
                                        SHA-256:442D9A3AD817160E10905025C72E9DD9810B7179ADC27884B7AFF86A1B1905C5
                                        SHA-512:3982F415F065F84C243A5444F5CF9D51DC715B8B5DD2781A0E048E1CBC808846CE3FA1795A282DF452BCD024A4664CBC63DDF0C0A7C5F7608E176CDEC9B91ACE
                                        Malicious:false
                                        Reputation:low
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                        C:\Users\user\AppData\Local\Temp\tmpF515.tmp
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1640
                                        Entropy (8bit):5.1929793820733705
                                        Encrypted:false
                                        SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBrrtn:cbh47TlNQ//rydbz9I3YODOLNdq3lp
                                        MD5:777992096A9A67A264806BC484673046
                                        SHA1:B3ABDCA7929B2F4177810B5DCB140B168B9C0F88
                                        SHA-256:83AB2C79DD7FDD193DA964ADD86534E8EC7D0EC73485107B44DE9453D15A6974
                                        SHA-512:04754FFEFF30AA98F34EF3E0CDBE2B1BE5FF484365F95438350D7F2FB24CF7287F22AA85F6411F8902A84325BA0B5A64643D9C76CECD9B9C38E5DC51F454B0DC
                                        Malicious:true
                                        Reputation:low
                                        Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1856
                                        Entropy (8bit):7.089541637477408
                                        Encrypted:false
                                        SSDEEP:48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
                                        MD5:30D23CC577A89146961915B57F408623
                                        SHA1:9B5709D6081D8E0A570511E6E0AAE96FA041964F
                                        SHA-256:E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
                                        SHA-512:2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
                                        Malicious:false
                                        Reputation:low
                                        Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:ISO-8859 text, with no line terminators
                                        Category:dropped
                                        Size (bytes):8
                                        Entropy (8bit):3.0
                                        Encrypted:false
                                        SSDEEP:3:gPn:gPn
                                        MD5:4E39023B090D611298C362113E4E31DE
                                        SHA1:511F5BCEF4D04F53C758ECA4F218A86D89955189
                                        SHA-256:98426645A5E77C9AF58584E1DD9B61C57E84A477F4E4C75CB58B89725A66D943
                                        SHA-512:3D658E57F46E31C55EF1CDDB85E4451045424677C8110A1B771B653B3CD00B95C52B9E824CCD944DD7243A2C69D1640C489BB443F6654451E97C063453B0F342
                                        Malicious:true
                                        Reputation:low
                                        Preview: ...u...H
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):24
                                        Entropy (8bit):4.501629167387823
                                        Encrypted:false
                                        SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                        MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                        SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                        SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                        SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                        Malicious:false
                                        Preview: 9iH...}Z.4..f..J".C;"a
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):5.320159765557392
                                        Encrypted:false
                                        SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                        MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                        SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                        SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                        SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                        Malicious:false
                                        Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):327768
                                        Entropy (8bit):7.999367066417797
                                        Encrypted:true
                                        SSDEEP:6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
                                        MD5:2E52F446105FBF828E63CF808B721F9C
                                        SHA1:5330E54F238F46DC04C1AC62B051DB4FCD7416FB
                                        SHA-256:2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
                                        SHA-512:C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
                                        Malicious:false
                                        Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                        C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):65
                                        Entropy (8bit):4.801074305563008
                                        Encrypted:false
                                        SSDEEP:3:oNWXp5v1qgkFKqEqrFOXxghog2TJ:oNWXpFggKEQ4xgrOJ
                                        MD5:31C782D11864C78B5699327A3EABC56E
                                        SHA1:1970AECA390F142254BB6293D88A496593995289
                                        SHA-256:CA168D61590B2EBD98CEDA22CE747CF805691B00F312CFE7A9A4F77655634D0B
                                        SHA-512:9B7211D30F16FA10C951DEACE071734194930E1B926DB96610680F03FC33CB90491F0F207809F2D8EFF656CF9B325B7B0508C048256E216CFE69338509F2F9DA
                                        Malicious:false
                                        Preview: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        C:\Users\user\AppData\Roaming\gVFZdFg.exe
                                        Process:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):737280
                                        Entropy (8bit):7.456420940298375
                                        Encrypted:false
                                        SSDEEP:12288:2X9kXkXenHgjxJNmtOjaMohwWGVYMdyE2oApCJWX0HSx59B:CzfvaMomDVYMduXp8WX0yxV
                                        MD5:AFCC0C7F6FADF41949E66C9325B9F843
                                        SHA1:C1562634E7D393B54606731BECAD8D4D11FCBA39
                                        SHA-256:7DC65CB43A6491E7DA09935A8E8D20C33873FC75E370B9A701AEA0A660E85B80
                                        SHA-512:E80CB56E77D3A9532A6174A11ADC476CFEE7246D86AA47A9BF7A86DDFB23C8DCFE8C5CD580E998AEA4F1E8B324B55A9205091FEE89B1EFCCC37DD8E1829E22AA
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 9%
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R]/`..............0..2..........NQ... ...`....@.. ....................................@..................................P..O....`..T............................................................................ ............... ..H............text...T1... ...2.................. ..`.rsrc...T....`.......4..............@..@.reloc...............>..............@..B................0Q......H.......$...H...........l................................................0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0............{.....+..*&...}....*...0..........

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.456420940298375
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        File size:737280
                                        MD5:afcc0c7f6fadf41949e66c9325b9f843
                                        SHA1:c1562634e7d393b54606731becad8d4d11fcba39
                                        SHA256:7dc65cb43a6491e7da09935a8e8d20c33873fc75e370b9a701aea0a660e85b80
                                        SHA512:e80cb56e77d3a9532a6174a11adc476cfee7246d86aa47a9bf7a86ddfb23c8dcfe8c5cd580e998aea4f1e8b324b55a9205091fee89b1efccc37dd8e1829e22aa
                                        SSDEEP:12288:2X9kXkXenHgjxJNmtOjaMohwWGVYMdyE2oApCJWX0HSx59B:CzfvaMomDVYMduXp8WX0yxV
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R]/`..............0..2..........NQ... ...`....@.. ....................................@................................

                                        File Icon

                                        Icon Hash:60c8ada8f2f0f8b1

                                        Static PE Info

                                        General

                                        Entrypoint:0x48514e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x602F5D52 [Fri Feb 19 06:40:18 2021 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x850fc0x4f.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x860000x30954.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x831540x83200False0.759942504766data7.55881445378IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0x860000x309540x30a00False0.759715416131data6.98866635189IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xb80000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x861c00x172f0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                        RT_ICON0x9d4c00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                        RT_ICON0xadcf80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 65535, next used block 4294901760
                                        RT_ICON0xb1f300x25a8data
                                        RT_ICON0xb44e80x10a8data
                                        RT_ICON0xb55a00x988data
                                        RT_ICON0xb5f380x468GLS_BINARY_LSB_FIRST
                                        RT_GROUP_ICON0xb63b00x68data
                                        RT_VERSION0xb64280x32cdata
                                        RT_MANIFEST0xb67640x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyright 2017-2021
                                        Assembly Version4.4.2.0
                                        InternalNamegWyum.exe
                                        FileVersion4.3.0.0
                                        CompanyName
                                        LegalTrademarks
                                        Comments
                                        ProductName
                                        ProductVersion4.3.0.0
                                        FileDescription
                                        OriginalFilenamegWyum.exe

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        02/19/21-08:29:02.061101TCP2025019ET TROJAN Possible NanoCore C2 60B497049036192.168.2.391.212.153.84
                                        02/19/21-08:29:10.080046TCP2025019ET TROJAN Possible NanoCore C2 60B497069036192.168.2.391.212.153.84
                                        02/19/21-08:29:16.963290TCP2025019ET TROJAN Possible NanoCore C2 60B497079036192.168.2.391.212.153.84
                                        02/19/21-08:29:22.141016TCP2025019ET TROJAN Possible NanoCore C2 60B497089036192.168.2.391.212.153.84
                                        02/19/21-08:29:29.045681TCP2025019ET TROJAN Possible NanoCore C2 60B497099036192.168.2.391.212.153.84
                                        02/19/21-08:29:35.289931TCP2025019ET TROJAN Possible NanoCore C2 60B497109036192.168.2.391.212.153.84
                                        02/19/21-08:29:41.351260TCP2025019ET TROJAN Possible NanoCore C2 60B497119036192.168.2.391.212.153.84
                                        02/19/21-08:29:46.711502TCP2025019ET TROJAN Possible NanoCore C2 60B497129036192.168.2.391.212.153.84
                                        02/19/21-08:29:53.506531TCP2025019ET TROJAN Possible NanoCore C2 60B497139036192.168.2.391.212.153.84
                                        02/19/21-08:30:00.348934UDP254DNS SPOOF query response with TTL of 1 min. and no authority53593498.8.8.8192.168.2.3
                                        02/19/21-08:30:00.409002TCP2025019ET TROJAN Possible NanoCore C2 60B497149036192.168.2.391.212.153.84
                                        02/19/21-08:30:06.563861TCP2025019ET TROJAN Possible NanoCore C2 60B497159036192.168.2.391.212.153.84
                                        02/19/21-08:30:13.530474TCP2025019ET TROJAN Possible NanoCore C2 60B497169036192.168.2.391.212.153.84
                                        02/19/21-08:30:20.851223TCP2025019ET TROJAN Possible NanoCore C2 60B497179036192.168.2.391.212.153.84
                                        02/19/21-08:30:26.882120TCP2025019ET TROJAN Possible NanoCore C2 60B497189036192.168.2.391.212.153.84
                                        02/19/21-08:30:33.073518TCP2025019ET TROJAN Possible NanoCore C2 60B497199036192.168.2.391.212.153.84
                                        02/19/21-08:30:40.144853TCP2025019ET TROJAN Possible NanoCore C2 60B497209036192.168.2.391.212.153.84
                                        02/19/21-08:30:45.115632TCP2025019ET TROJAN Possible NanoCore C2 60B497219036192.168.2.391.212.153.84

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Feb 19, 2021 08:29:01.919277906 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:01.973613024 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:01.973773003 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.061100960 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.131288052 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.143557072 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.200113058 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.223546028 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.313024044 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.330741882 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.330770016 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.330789089 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.330801964 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.330866098 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.330903053 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.385577917 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.385646105 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.385723114 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.385737896 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.385773897 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.385821104 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.385822058 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.385863066 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.385905027 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.385941029 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.385945082 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.385991096 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.405123949 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.440217018 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440247059 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440263987 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440284967 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440310001 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440325975 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.440336943 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440351009 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.440361023 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440382004 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440397024 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440406084 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.440417051 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.440419912 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440443039 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.440447092 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440473080 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440473080 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.440494061 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440509081 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440521955 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440536022 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.440546036 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.440589905 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.440613985 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.487221003 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.496881008 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.496916056 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.496939898 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.496963024 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.496989965 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497013092 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497013092 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497037888 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497039080 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497061014 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497080088 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497100115 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497121096 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497147083 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497168064 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497172117 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497196913 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497216940 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497239113 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497263908 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497288942 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497293949 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497309923 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497319937 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497338057 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497363091 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497364044 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497409105 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497438908 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497462034 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497487068 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497512102 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497535944 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497536898 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497562885 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497570992 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497591972 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497592926 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497618914 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497642994 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497667074 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497690916 CET90364970491.212.153.84192.168.2.3
                                        Feb 19, 2021 08:29:02.497693062 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497736931 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.497757912 CET497049036192.168.2.391.212.153.84
                                        Feb 19, 2021 08:29:02.555321932 CET90364970491.212.153.84192.168.2.3

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Feb 19, 2021 08:28:27.224858999 CET5413053192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:27.273535967 CET53541308.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:27.997459888 CET5696153192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:28.048942089 CET53569618.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:28.863488913 CET5935353192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:28.912303925 CET53593538.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:29.780390024 CET5223853192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:29.829252005 CET53522388.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:30.740947962 CET4987353192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:30.798202038 CET53498738.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:31.648437977 CET5319653192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:31.705548048 CET53531968.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:32.460208893 CET5677753192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:32.509670973 CET53567778.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:33.398242950 CET5864353192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:33.447192907 CET53586438.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:34.237569094 CET6098553192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:34.286365986 CET53609858.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:35.094224930 CET5020053192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:35.142950058 CET53502008.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:36.064620972 CET5128153192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:36.116375923 CET53512818.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:36.900111914 CET4919953192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:36.951569080 CET53491998.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:37.739857912 CET5062053192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:37.788585901 CET53506208.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:38.581501961 CET6493853192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:38.634124994 CET53649388.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:39.479787111 CET6015253192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:39.532752037 CET53601528.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:40.411381960 CET5754453192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:40.460160017 CET53575448.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:41.224673986 CET5598453192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:41.276295900 CET53559848.8.8.8192.168.2.3
                                        Feb 19, 2021 08:28:42.049659967 CET6418553192.168.2.38.8.8.8
                                        Feb 19, 2021 08:28:42.098371983 CET53641858.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:01.675496101 CET6511053192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:01.887367964 CET53651108.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:02.817702055 CET5836153192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:02.878144026 CET53583618.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:09.924968958 CET6349253192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:09.982163906 CET53634928.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:16.821532965 CET6083153192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:16.878875017 CET53608318.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:21.874450922 CET6010053192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:22.083720922 CET53601008.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:28.810173988 CET5319553192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:28.986932993 CET53531958.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:35.175757885 CET5014153192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:35.232852936 CET53501418.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:41.236505985 CET5302353192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:41.293612957 CET53530238.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:46.592783928 CET4956353192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:46.654160023 CET53495638.8.8.8192.168.2.3
                                        Feb 19, 2021 08:29:53.388196945 CET5135253192.168.2.38.8.8.8
                                        Feb 19, 2021 08:29:53.447899103 CET53513528.8.8.8192.168.2.3
                                        Feb 19, 2021 08:30:00.291894913 CET5934953192.168.2.38.8.8.8
                                        Feb 19, 2021 08:30:00.348933935 CET53593498.8.8.8192.168.2.3
                                        Feb 19, 2021 08:30:06.291666031 CET5708453192.168.2.38.8.8.8
                                        Feb 19, 2021 08:30:06.506647110 CET53570848.8.8.8192.168.2.3
                                        Feb 19, 2021 08:30:13.401871920 CET5882353192.168.2.38.8.8.8
                                        Feb 19, 2021 08:30:13.452063084 CET53588238.8.8.8192.168.2.3
                                        Feb 19, 2021 08:30:20.736202002 CET5756853192.168.2.38.8.8.8
                                        Feb 19, 2021 08:30:20.793597937 CET53575688.8.8.8192.168.2.3
                                        Feb 19, 2021 08:30:26.761276007 CET5054053192.168.2.38.8.8.8
                                        Feb 19, 2021 08:30:26.818576097 CET53505408.8.8.8192.168.2.3
                                        Feb 19, 2021 08:30:32.958008051 CET5436653192.168.2.38.8.8.8
                                        Feb 19, 2021 08:30:33.015305996 CET53543668.8.8.8192.168.2.3
                                        Feb 19, 2021 08:30:39.961554050 CET5303453192.168.2.38.8.8.8
                                        Feb 19, 2021 08:30:40.018662930 CET53530348.8.8.8192.168.2.3
                                        Feb 19, 2021 08:30:45.000926971 CET5776253192.168.2.38.8.8.8
                                        Feb 19, 2021 08:30:45.054364920 CET53577628.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Feb 19, 2021 08:29:01.675496101 CET192.168.2.38.8.8.80x727bStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:09.924968958 CET192.168.2.38.8.8.80x190fStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:16.821532965 CET192.168.2.38.8.8.80x9f6dStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:21.874450922 CET192.168.2.38.8.8.80x23c4Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:28.810173988 CET192.168.2.38.8.8.80x394bStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:35.175757885 CET192.168.2.38.8.8.80x8e9bStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:41.236505985 CET192.168.2.38.8.8.80xa15aStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:46.592783928 CET192.168.2.38.8.8.80xb63bStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:53.388196945 CET192.168.2.38.8.8.80x5312Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:00.291894913 CET192.168.2.38.8.8.80x8a94Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:06.291666031 CET192.168.2.38.8.8.80x7d5eStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:13.401871920 CET192.168.2.38.8.8.80xc0d7Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:20.736202002 CET192.168.2.38.8.8.80x7b91Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:26.761276007 CET192.168.2.38.8.8.80x12a4Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:32.958008051 CET192.168.2.38.8.8.80x8845Standard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:39.961554050 CET192.168.2.38.8.8.80x8c6eStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:45.000926971 CET192.168.2.38.8.8.80x8aeStandard query (0)shahzad73.casacam.netA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Feb 19, 2021 08:29:01.887367964 CET8.8.8.8192.168.2.30x727bNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:09.982163906 CET8.8.8.8192.168.2.30x190fNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:16.878875017 CET8.8.8.8192.168.2.30x9f6dNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:22.083720922 CET8.8.8.8192.168.2.30x23c4No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:28.986932993 CET8.8.8.8192.168.2.30x394bNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:35.232852936 CET8.8.8.8192.168.2.30x8e9bNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:41.293612957 CET8.8.8.8192.168.2.30xa15aNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:46.654160023 CET8.8.8.8192.168.2.30xb63bNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:29:53.447899103 CET8.8.8.8192.168.2.30x5312No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:00.348933935 CET8.8.8.8192.168.2.30x8a94No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:06.506647110 CET8.8.8.8192.168.2.30x7d5eNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:13.452063084 CET8.8.8.8192.168.2.30xc0d7No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:20.793597937 CET8.8.8.8192.168.2.30x7b91No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:26.818576097 CET8.8.8.8192.168.2.30x12a4No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:33.015305996 CET8.8.8.8192.168.2.30x8845No error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:40.018662930 CET8.8.8.8192.168.2.30x8c6eNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)
                                        Feb 19, 2021 08:30:45.054364920 CET8.8.8.8192.168.2.30x8aeNo error (0)shahzad73.casacam.net91.212.153.84A (IP address)IN (0x0001)

                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Start time:08:28:32
                                        Start date:19/02/2021
                                        Path:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe'
                                        Imagebase:0xf70000
                                        File size:737280 bytes
                                        MD5 hash:AFCC0C7F6FADF41949E66C9325B9F843
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        General

                                        Start time:08:28:55
                                        Start date:19/02/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'
                                        Imagebase:0xba0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:08:28:55
                                        Start date:19/02/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:08:28:56
                                        Start date:19/02/2021
                                        Path:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x7f0000
                                        File size:737280 bytes
                                        MD5 hash:AFCC0C7F6FADF41949E66C9325B9F843
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: NanoCore, Description: unknown, Source: 00000004.00000003.300424422.0000000004893000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        General

                                        Start time:08:28:59
                                        Start date:19/02/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp'
                                        Imagebase:0xf00000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:08:28:59
                                        Start date:19/02/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:08:29:00
                                        Start date:19/02/2021
                                        Path:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' 0
                                        Imagebase:0x7ff7ca4e0000
                                        File size:737280 bytes
                                        MD5 hash:AFCC0C7F6FADF41949E66C9325B9F843
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        General

                                        Start time:08:29:20
                                        Start date:19/02/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp'
                                        Imagebase:0x8f0000
                                        File size:185856 bytes
                                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:08:29:20
                                        Start date:19/02/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6b2800000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:08:29:21
                                        Start date:19/02/2021
                                        Path:C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x8d0000
                                        File size:737280 bytes
                                        MD5 hash:AFCC0C7F6FADF41949E66C9325B9F843
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                        Reputation:low

                                        Disassembly

                                        Code Analysis

                                        Reset < >