Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Product List.exe

Overview

General Information

Sample Name:Product List.exe
Analysis ID:356641
MD5:df1a8e7ffa630db4a9fa38abaec4c0d2
SHA1:19077607d6f6951499783faec6f1722cb9b2c077
SHA256:8174806d6bbe5f5c713a2a860c36b22d3efe8c7effeb0284bb23de5a9fe68d26
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Product List.exe (PID: 3488 cmdline: 'C:\Users\user\Desktop\Product List.exe' MD5: DF1A8E7FFA630DB4A9FA38ABAEC4C0D2)
    • schtasks.exe (PID: 4092 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Product List.exe (PID: 1928 cmdline: C:\Users\user\Desktop\Product List.exe MD5: DF1A8E7FFA630DB4A9FA38ABAEC4C0D2)
    • Product List.exe (PID: 3152 cmdline: C:\Users\user\Desktop\Product List.exe MD5: DF1A8E7FFA630DB4A9FA38ABAEC4C0D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Product List.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Product List.exe.41e7fb0.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Product List.exe.2f56b18.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  0.2.Product List.exe.41e7fb0.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Product List.exe.2fa483c.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Product List.exe' , ParentImage: C:\Users\user\Desktop\Product List.exe, ParentProcessId: 3488, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp', ProcessId: 4092

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeReversingLabs: Detection: 34%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Product List.exeVirustotal: Detection: 42%Perma Link
                      Source: Product List.exeReversingLabs: Detection: 34%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: Product List.exeJoe Sandbox ML: detected
                      Source: 4.2.Product List.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: Product List.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: Product List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: global trafficTCP traffic: 192.168.2.3:49732 -> 144.217.69.193:587
                      Source: global trafficTCP traffic: 192.168.2.3:49732 -> 144.217.69.193:587
                      Source: unknownDNS traffic detected: queries for: cdn.onenote.net
                      Source: Product List.exe, 00000004.00000002.472992635.0000000003079000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.472808847.0000000003048000.00000004.00000001.sdmpString found in binary or memory: http://0AqX2o5J52Y7fM61Oxy.com
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://at.engineering
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: Product List.exe, 00000004.00000002.477419217.0000000006A40000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Product List.exe, 00000000.00000003.206077469.0000000005FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: Product List.exe, 00000000.00000003.206416561.0000000005FC9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlr-t
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comTTF/
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comU
                      Source: Product List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsp
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                      Source: Product List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritoq
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Product List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Product List.exe, 00000000.00000003.203545951.0000000005FB6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Product List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
                      Source: Product List.exe, 00000000.00000003.203211032.0000000005FBE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnTFf
                      Source: Product List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cno
                      Source: Product List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/4
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Product List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//p
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0et
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0mC
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/9
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/z
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lte
                      Source: Product List.exe, 00000000.00000003.204830525.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oo
                      Source: Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
                      Source: Product List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Product List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comec
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com&
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Product List.exe, 00000000.00000003.202945354.0000000005FCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comwa
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: http://ztjCrd.com
                      Source: Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: Product List.exe, 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.Product List.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b229E1CFDu002d2DFDu002d4D5Bu002dAEE6u002d795BE0355C35u007d/AF02D89Au002dA309u002d4AF8u002d9971u002dE6A4754A7662.csLarge array initialization: .cctor: array initializer size 11949
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_00AF4AD5
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8A6A8
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8EF3C
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8F418
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8D5A0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8D59B
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_02E8B994
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_09742C90
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_09740040
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 3_2_002A4AD5
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_008E4AD5
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD2D50
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDEA18
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD2618
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDCFF0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD1FE0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDA720
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DDF7F8
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DFACB0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF0040
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF2E50
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF4670
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DFD385
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF6840
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF9118
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D47A0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011DD820
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D3CCC
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D46B0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D5490
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_011D3CC0
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C75C58
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C7F870
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C7A710
                      Source: Product List.exeBinary or memory string: OriginalFilename vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Product List.exe
                      Source: Product List.exe, 00000000.00000000.197720100.0000000000AF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBpIFRNHUGjPNAoJQtYyW.exe4 vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.230847837.0000000009480000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.229847265.0000000008F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.229761142.0000000008DD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.231099210.0000000009580000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Product List.exe
                      Source: Product List.exe, 00000000.00000002.231099210.0000000009580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Product List.exe
                      Source: Product List.exeBinary or memory string: OriginalFilename vs Product List.exe
                      Source: Product List.exe, 00000003.00000000.219271011.00000000002A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exeBinary or memory string: OriginalFilename vs Product List.exe
                      Source: Product List.exe, 00000004.00000000.220140658.00000000008E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.469726803.00000000010C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.469821932.0000000001150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.467021746.0000000000D38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBpIFRNHUGjPNAoJQtYyW.exe4 vs Product List.exe
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Product List.exe
                      Source: Product List.exeBinary or memory string: OriginalFilenameIEnumMoniker.exe6 vs Product List.exe
                      Source: Product List.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Product List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: oObXLwwKgq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 4.2.Product List.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.Product List.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/5@3/1
                      Source: C:\Users\user\Desktop\Product List.exeFile created: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeMutant created: \Sessions\1\BaseNamedObjects\ubWnYfprkyhFCG
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_01
                      Source: C:\Users\user\Desktop\Product List.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3F53.tmpJump to behavior
                      Source: Product List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Product List.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Product List.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: Product List.exeVirustotal: Detection: 42%
                      Source: Product List.exeReversingLabs: Detection: 34%
                      Source: C:\Users\user\Desktop\Product List.exeFile read: C:\Users\user\Desktop\Product List.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Product List.exe 'C:\Users\user\Desktop\Product List.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: unknownProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: C:\Users\user\Desktop\Product List.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Product List.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Product List.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 0_2_09743C6D push dword ptr [edx+ebp*2-75h]; iretd
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DD7A37 push edi; retn 0000h
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DFB8B0 push F800D8CCh; retf
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_06C7D5B5 push es; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.44517297113
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.44517297113
                      Source: C:\Users\user\Desktop\Product List.exeFile created: C:\Users\user\AppData\Roaming\oObXLwwKgq.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Product List.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM_3Show sources
                      Source: Yara matchFile source: 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3488, type: MEMORY
                      Source: Yara matchFile source: 0.2.Product List.exe.2f56b18.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.2fa483c.2.raw.unpack, type: UNPACKEDPE
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                      Source: C:\Users\user\Desktop\Product List.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
                      Source: C:\Users\user\Desktop\Product List.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                      Source: C:\Users\user\Desktop\Product List.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Product List.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Product List.exeWindow / User API: threadDelayed 6832
                      Source: C:\Users\user\Desktop\Product List.exeWindow / User API: threadDelayed 3018
                      Source: C:\Users\user\Desktop\Product List.exe TID: 1740Thread sleep time: -99271s >= -30000s
                      Source: C:\Users\user\Desktop\Product List.exe TID: 5840Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Product List.exe TID: 3292Thread sleep time: -21213755684765971s >= -30000s
                      Source: C:\Users\user\Desktop\Product List.exe TID: 4796Thread sleep count: 6832 > 30
                      Source: C:\Users\user\Desktop\Product List.exe TID: 4796Thread sleep count: 3018 > 30
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Product List.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware T<
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware T
                      Source: Product List.exe, 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Product List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: Product List.exe, 00000004.00000002.476423567.0000000005C10000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\Product List.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Product List.exeCode function: 4_2_00DF0040 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\Product List.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Product List.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Product List.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: C:\Users\user\Desktop\Product List.exeProcess created: C:\Users\user\Desktop\Product List.exe C:\Users\user\Desktop\Product List.exe
                      Source: Product List.exe, 00000004.00000002.470104819.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Product List.exe, 00000004.00000002.470104819.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Product List.exe, 00000004.00000002.470104819.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Product List.exe, 00000004.00000002.470104819.00000000016D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Users\user\Desktop\Product List.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Users\user\Desktop\Product List.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Product List.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3488, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3152, type: MEMORY
                      Source: Yara matchFile source: 4.2.Product List.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.41e7fb0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.41e7fb0.5.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Product List.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\Product List.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3152, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3488, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Product List.exe PID: 3152, type: MEMORY
                      Source: Yara matchFile source: 4.2.Product List.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.41e7fb0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Product List.exe.41e7fb0.5.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation311Scheduled Task/Job1Process Injection12Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery421Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsVirtualization/Sandbox Evasion24SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion24Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Product List.exe42%VirustotalBrowse
                      Product List.exe34%ReversingLabsByteCode-MSIL.Trojan.Wacatac
                      Product List.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\oObXLwwKgq.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\oObXLwwKgq.exe34%ReversingLabsByteCode-MSIL.Trojan.Wacatac

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.Product List.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      at.engineering0%VirustotalBrowse
                      cdn.onenote.net0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.comwa0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Y0mC0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.sajatypeworks.comec0%Avira URL Cloudsafe
                      http://ztjCrd.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/lte0%Avira URL Cloudsafe
                      http://www.fontbureau.comTTF/0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/90%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnC0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp//p0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.founder.com.cn/cno0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fontbureau.comalsp0%Avira URL Cloudsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.urwpp.de0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0et0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/L0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/L0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/L0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/I0%Avira URL Cloudsafe
                      http://www.fontbureau.comU0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnTFf0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/oi0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/oo0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/z0%Avira URL Cloudsafe
                      http://0AqX2o5J52Y7fM61Oxy.com0%Avira URL Cloudsafe
                      http://www.fontbureau.comgritoq0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      at.engineering
                      		144.217.69.193
                      		truefalseunknown
                      cdn.onenote.net
                      		unknown
                      		unknowntrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comwaProduct List.exe, 00000000.00000003.202945354.0000000005FCB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/Y0mCProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comecProduct List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ztjCrd.comProduct List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/lteProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designersProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comTTF/Product List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.krProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/9Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssProduct List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cnCProduct List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp//pProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comProduct List.exe, 00000000.00000003.200659215.0000000005FB3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnoProduct List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/9Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmProduct List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmp, Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comalspProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.ascendercorp.com/typedesigners.htmlProduct List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameProduct List.exe, 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.sakkal.comProduct List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipProduct List.exe, 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                        		high
                                        http://DynDns.comDynDNSProduct List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comFProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://sectigo.com/CPS0Product List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlr-tProduct List.exe, 00000000.00000003.206416561.0000000005FC9000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/Y0etProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haProduct List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/LProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/IProduct List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comUProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cnTFfProduct List.exe, 00000000.00000003.203211032.0000000005FBE000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/oiProduct List.exe, 00000000.00000003.204830525.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comaProduct List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/ooProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/zProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://0AqX2o5J52Y7fM61Oxy.comProduct List.exe, 00000004.00000002.472992635.0000000003079000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmp, Product List.exe, 00000004.00000002.472808847.0000000003048000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comgritoqProduct List.exe, 00000000.00000002.227845967.0000000005FB4000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comlProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/Product List.exe, 00000000.00000003.203545951.0000000005FB6000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnProduct List.exe, 00000000.00000003.203454444.0000000005FB8000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlProduct List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/qProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.sakkal.com&Product List.exe, 00000000.00000003.204979445.0000000005FB5000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.galapagosdesign.com/4Product List.exe, 00000000.00000003.207772790.0000000005FC3000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comcomFProduct List.exe, 00000000.00000003.207002585.0000000005FB5000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Product List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Product List.exe, 00000000.00000002.227889604.00000000060A0000.00000002.00000001.sdmpfalse
                                                		high
                                                http://at.engineeringProduct List.exe, 00000004.00000002.473062897.0000000003081000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/hProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/aProduct List.exe, 00000000.00000003.204651805.0000000005FB5000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/Product List.exe, 00000000.00000003.206077469.0000000005FEE000.00000004.00000001.sdmpfalse
                                                  		high

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  144.217.69.193
                                                  		unknownCanada
                                                  		16276OVHFRfalse

                                                  General Information

                                                  Joe Sandbox Version:31.0.0 Emerald
                                                  Analysis ID:356641
                                                  Start date:23.02.2021
                                                  Start time:13:52:10
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 8m 32s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:Product List.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:35
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@8/5@3/1
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 0.2% (good quality ratio 0.1%)
                                                  • Quality average: 17.4%
                                                  • Quality standard deviation: 29%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, wermgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.139.144, 40.88.32.150, 52.255.188.83, 13.64.90.137, 84.53.167.113, 2.17.179.193, 13.107.42.23, 13.107.5.88, 93.184.220.29, 20.190.160.67, 20.190.160.132, 20.190.160.8, 20.190.160.75, 20.190.160.6, 20.190.160.71, 20.190.160.2, 20.190.160.69, 23.218.209.198, 51.104.139.180, 204.79.197.200, 13.107.21.200, 23.218.208.56, 23.211.6.115, 2.20.142.210, 2.20.142.209, 51.104.144.132, 92.122.213.247, 92.122.213.194, 20.54.26.129
                                                  • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, cdn.onenote.net.edgekey.net, www.tm.a.prd.aadg.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, ams2.next.a.prd.aadg.trafficmanager.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, www.bing.com, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, e15275.g.akamaiedge.net, l-0014.config.skype.com, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com, skypedataprdcolwus17.cloudapp.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, login.msa.msidentity.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, l-0014.l-msedge.net, e16646.dscg.akamaiedge.net
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  13:53:02API Interceptor769x Sleep call for process: Product List.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASN

                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                  OVHFRtEQjO7fbhJ.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  qRoUqXAvyz.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  v9tWEeYg4u.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  1sAKtAszhK.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  ClfwZpeLXt.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  svhost.exeGet hashmaliciousBrowse
                                                  • 54.37.11.130
                                                  SBll8nnAVc.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  SecuriteInfo.com.Variant.Zusy.368685.25375.exeGet hashmaliciousBrowse
                                                  • 51.68.21.188
                                                  0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                                  • 94.23.162.163
                                                  SecuriteInfo.com.Variant.Zusy.368685.25618.exeGet hashmaliciousBrowse
                                                  • 51.68.21.186
                                                  Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                  • 198.27.88.111
                                                  Quotation Reques.exeGet hashmaliciousBrowse
                                                  • 51.83.43.226
                                                  8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                  • 51.68.21.186
                                                  iKohUejteO.dllGet hashmaliciousBrowse
                                                  • 37.187.115.122
                                                  PO No. 104393019_pdf.exeGet hashmaliciousBrowse
                                                  • 51.195.53.221
                                                  nTqV6fxGXT.exeGet hashmaliciousBrowse
                                                  • 51.254.175.184
                                                  Purchase Order___pdf ____________.exeGet hashmaliciousBrowse
                                                  • 66.70.204.222
                                                  File Downloader [14.5].apkGet hashmaliciousBrowse
                                                  • 51.75.61.103
                                                  PO_210222.exeGet hashmaliciousBrowse
                                                  • 213.186.33.5
                                                  SecuriteInfo.com.Trojan.MinerNET.8.3277.exeGet hashmaliciousBrowse
                                                  • 149.202.83.171

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Product List.exe.log
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):1406
                                                  Entropy (8bit):5.341099307467139
                                                  Encrypted:false
                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                                  MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                                  SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                                  SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                                  SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                                  Malicious:true
                                                  Reputation:moderate, very likely benign file
                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                  C:\Users\user\AppData\Local\Temp\tmp3F53.tmp
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1643
                                                  Entropy (8bit):5.19496303324492
                                                  Encrypted:false
                                                  SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBp0dNtn:cbh47TlNQ//rydbz9I3YODOLNdq3fkn
                                                  MD5:6330D491F1248EE1C323C939481B4EA4
                                                  SHA1:7C410346DC54E77BE2AC9DC46D0C5B339269B5F4
                                                  SHA-256:8982D3732605043BDBB365D07952F272EBEF315621084A1F30A8D5F65AEE814A
                                                  SHA-512:5A3329227BB3418E738B5D3323043F7414D7F6EDED2FB00A0603A61C1445B33FA746EF92F9421FF337905D19C3D36F9D0232979EED49F5FFFFCE10EE04707EA1
                                                  Malicious:true
                                                  Reputation:low
                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                  C:\Users\user\AppData\Roaming\oObXLwwKgq.exe
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):578048
                                                  Entropy (8bit):7.435582170366283
                                                  Encrypted:false
                                                  SSDEEP:12288:LPgF0vXu1MRLLRE883qya1nuKbDNInpN8JK6rNMgg3vWR:DXuAm88aya14MJ7Zfr
                                                  MD5:DF1A8E7FFA630DB4A9FA38ABAEC4C0D2
                                                  SHA1:19077607D6F6951499783FAEC6F1722CB9B2C077
                                                  SHA-256:8174806D6BBE5F5C713A2A860C36B22D3EFE8C7EFFEB0284BB23DE5A9FE68D26
                                                  SHA-512:7E7C2E8D94AFAE614291A9ADD08EE21EC1D0045ED30F0912A1572AA0D4090A214DE0AC669CDB0F87A7BBA35E9CA82FD5AAABE88871C1F5567BA2C3FB26262973
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 34%
                                                  Reputation:low
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............P.............~.... ........@.. ....................... ............@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........s..\i..........(4...?...........................................0..#.......+.&...(....(..........(.....o.....*..................0..........+.&..8......8.....+*...a.+....a...#YE............B...M....>.+....<.+....YE............&.../...>...M...V..._...z........9.+......&.?.+.+.....+......&...8x.....6.8o.....(.......8`.....(.......8Q.......8H.....7.8?.....(....+.(....8)......8$.....(....+..8.......8....*.0..........+.&...++..#a.+...$a8.......X+Y.#(.....+......&...+...(0.
                                                  C:\Users\user\AppData\Roaming\oObXLwwKgq.exe:Zone.Identifier
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                  C:\Users\user\AppData\Roaming\q0ktu44q.k1d\Chrome\Default\Cookies
                                                  Process:C:\Users\user\Desktop\Product List.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                  Category:dropped
                                                  Size (bytes):20480
                                                  Entropy (8bit):0.6970840431455908
                                                  Encrypted:false
                                                  SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                  MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                  SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                  SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                  SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.435582170366283
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                  File name:Product List.exe
                                                  File size:578048
                                                  MD5:df1a8e7ffa630db4a9fa38abaec4c0d2
                                                  SHA1:19077607d6f6951499783faec6f1722cb9b2c077
                                                  SHA256:8174806d6bbe5f5c713a2a860c36b22d3efe8c7effeb0284bb23de5a9fe68d26
                                                  SHA512:7e7c2e8d94afae614291a9add08ee21ec1d0045ed30f0912a1572aa0d4090a214de0ac669cdb0f87a7bba35e9ca82fd5aaabe88871c1f5567ba2c3fb26262973
                                                  SSDEEP:12288:LPgF0vXu1MRLLRE883qya1nuKbDNInpN8JK6rNMgg3vWR:DXuAm88aya14MJ7Zfr
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............P.............~.... ........@.. ....................... ............@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x48dd7e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x60349BA0 [Tue Feb 23 06:07:28 2021 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8dd2c0x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x1000.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x8bd840x8be00False0.749713751117data7.44517297113IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x8e0000x10000x1000False0.40185546875data4.99794131335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x900000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0x8e0900x334data
                                                  RT_MANIFEST0x8e3d40xc0fXML 1.0 document, UTF-8 Unicode (with BOM) text

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright 2018
                                                  Assembly Version1.0.0.0
                                                  InternalNameIEnumMoniker.exe
                                                  FileVersion1.0.0.0
                                                  CompanyName
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameRegisterVB
                                                  ProductVersion1.0.0.0
                                                  FileDescriptionRegisterVB
                                                  OriginalFilenameIEnumMoniker.exe

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 23, 2021 13:54:46.915697098 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.050697088 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:47.050853014 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.338830948 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:47.339210987 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.474318027 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:47.474642992 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.614777088 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:47.662908077 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:47.846215963 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011452913 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011478901 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011496067 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011507988 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.011564016 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.011601925 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.015187025 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.044770956 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.179675102 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.180944920 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.236499071 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.371718884 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.375401974 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.510875940 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.511482954 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.686083078 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.688595057 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.689361095 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:48.824500084 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:48.824903965 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.001992941 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.153862000 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.154293060 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.289295912 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.292339087 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.292433023 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.292525053 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.292598963 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:49.430084944 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.430118084 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:49.430207968 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:50.126668930 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:50.244594097 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.293281078 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.429964066 CET58749732144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:51.430064917 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.453202009 CET49732587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.542722940 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.677608013 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:51.677746058 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:51.935015917 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:51.935560942 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.069746971 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.070053101 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.248456955 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.264549017 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.265181065 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.399315119 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542656898 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542690039 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542714119 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542730093 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.542865038 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.552720070 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.555233002 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.688100100 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.689156055 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.692828894 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.834271908 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.834716082 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:52.967694998 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:52.968785048 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.125047922 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.129772902 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.262490034 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.262960911 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.434267998 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.482836962 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.483937025 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.617989063 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.619812012 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620024920 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620177984 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620332003 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620534897 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620682001 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620770931 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.620884895 CET49738587192.168.2.3144.217.69.193
                                                  Feb 23, 2021 13:54:53.751034021 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751060009 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751230955 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751306057 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751576900 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751705885 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751885891 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:53.751890898 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:54.474220037 CET58749738144.217.69.193192.168.2.3
                                                  Feb 23, 2021 13:54:54.535514116 CET49738587192.168.2.3144.217.69.193

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Feb 23, 2021 13:52:49.658979893 CET4987353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:49.707695961 CET53498738.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:51.271466017 CET5319653192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:51.320465088 CET53531968.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:52.225564957 CET5677753192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:52.274302959 CET53567778.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:54.334934950 CET5864353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:54.383745909 CET53586438.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:55.393558025 CET6098553192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:55.446018934 CET53609858.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:56.323122025 CET5020053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:56.371922970 CET53502008.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:57.270813942 CET5128153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:57.323899984 CET53512818.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:58.269529104 CET4919953192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:58.321420908 CET53491998.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:52:59.107702017 CET5062053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:52:59.156367064 CET53506208.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:00.018372059 CET6493853192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:00.069804907 CET53649388.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:00.927954912 CET6015253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:00.981184959 CET53601528.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:01.824388027 CET5754453192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:01.873764038 CET53575448.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:03.048409939 CET5598453192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:03.102969885 CET53559848.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:03.858500957 CET6418553192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:03.907257080 CET53641858.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:04.832976103 CET6511053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:04.884597063 CET53651108.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:13.953787088 CET5836153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:13.954802036 CET6349253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.012274981 CET53583618.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.013675928 CET53634928.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.524161100 CET5872253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.524230003 CET5659653192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.524290085 CET6410153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.572988033 CET53587228.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.573014975 CET53565968.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.573132038 CET53641018.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:14.926719904 CET6083153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:14.978131056 CET53608318.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:17.163664103 CET6010053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:17.212567091 CET53601008.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:17.334800005 CET5319553192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:17.384818077 CET53531958.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:21.835669994 CET5014153192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:21.906491995 CET53501418.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:22.357269049 CET5302353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:22.406094074 CET53530238.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:22.436091900 CET4956353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:22.487602949 CET53495638.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:27.367983103 CET5135253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:27.432729959 CET53513528.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:37.493057966 CET5934953192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:37.557876110 CET53593498.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:45.580605984 CET5708453192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:45.647797108 CET53570848.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:53:57.446793079 CET5882353192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:53:57.495541096 CET53588238.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:54:35.790575027 CET5756853192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:54:35.842123985 CET53575688.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:54:46.637748003 CET5054053192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:54:46.897916079 CET53505408.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:54:48.828274012 CET5436653192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:54:48.888101101 CET53543668.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:54:51.482954025 CET5303453192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:54:51.540743113 CET53530348.8.8.8192.168.2.3
                                                  Feb 23, 2021 13:55:01.375653982 CET5776253192.168.2.38.8.8.8
                                                  Feb 23, 2021 13:55:01.450911999 CET53577628.8.8.8192.168.2.3

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Feb 23, 2021 13:53:13.954802036 CET192.168.2.38.8.8.80xdb67Standard query (0)cdn.onenote.netA (IP address)IN (0x0001)
                                                  Feb 23, 2021 13:54:46.637748003 CET192.168.2.38.8.8.80xf481Standard query (0)at.engineeringA (IP address)IN (0x0001)
                                                  Feb 23, 2021 13:54:51.482954025 CET192.168.2.38.8.8.80xb902Standard query (0)at.engineeringA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Feb 23, 2021 13:53:14.013675928 CET8.8.8.8192.168.2.30xdb67No error (0)cdn.onenote.netcdn.onenote.net.edgekey.netCNAME (Canonical name)IN (0x0001)
                                                  Feb 23, 2021 13:53:17.212567091 CET8.8.8.8192.168.2.30xd4fcNo error (0)prda.aadg.msidentity.comwww.tm.a.prd.aadg.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                  Feb 23, 2021 13:54:46.897916079 CET8.8.8.8192.168.2.30xf481No error (0)at.engineering144.217.69.193A (IP address)IN (0x0001)
                                                  Feb 23, 2021 13:54:51.540743113 CET8.8.8.8192.168.2.30xb902No error (0)at.engineering144.217.69.193A (IP address)IN (0x0001)

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  Feb 23, 2021 13:54:47.338830948 CET58749732144.217.69.193192.168.2.3220-server112.spotservhost.com ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 07:54:46 -0500
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Feb 23, 2021 13:54:47.339210987 CET49732587192.168.2.3144.217.69.193EHLO 721680
                                                  Feb 23, 2021 13:54:47.474318027 CET58749732144.217.69.193192.168.2.3250-server112.spotservhost.com Hello 721680 [84.17.52.38]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-STARTTLS
                                                  250 HELP
                                                  Feb 23, 2021 13:54:47.474642992 CET49732587192.168.2.3144.217.69.193STARTTLS
                                                  Feb 23, 2021 13:54:47.614777088 CET58749732144.217.69.193192.168.2.3220 TLS go ahead
                                                  Feb 23, 2021 13:54:51.935015917 CET58749738144.217.69.193192.168.2.3220-server112.spotservhost.com ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 07:54:51 -0500
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  Feb 23, 2021 13:54:51.935560942 CET49738587192.168.2.3144.217.69.193EHLO 721680
                                                  Feb 23, 2021 13:54:52.069746971 CET58749738144.217.69.193192.168.2.3250-server112.spotservhost.com Hello 721680 [84.17.52.38]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-STARTTLS
                                                  250 HELP
                                                  Feb 23, 2021 13:54:52.070053101 CET49738587192.168.2.3144.217.69.193STARTTLS
                                                  Feb 23, 2021 13:54:52.264549017 CET58749738144.217.69.193192.168.2.3220 TLS go ahead

                                                  Code Manipulations

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: Product List.exe PID: 3488 Parent PID: 5604

                                                  General

                                                  Start time:13:52:56
                                                  Start date:23/02/2021
                                                  Path:C:\Users\user\Desktop\Product List.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\Product List.exe'
                                                  Imagebase:0xaf0000
                                                  File size:578048 bytes
                                                  MD5 hash:DF1A8E7FFA630DB4A9FA38ABAEC4C0D2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.222405130.0000000002F21000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.222608078.0000000002FA1000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.223740683.0000000004194000.00000004.00000001.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Analysis Process: schtasks.exe PID: 4092 Parent PID: 3488

                                                  General

                                                  Start time:13:53:05
                                                  Start date:23/02/2021
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oObXLwwKgq' /XML 'C:\Users\user\AppData\Local\Temp\tmp3F53.tmp'
                                                  Imagebase:0xc60000
                                                  File size:185856 bytes
                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Analysis Process: conhost.exe PID: 3920 Parent PID: 4092

                                                  General

                                                  Start time:13:53:05
                                                  Start date:23/02/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6b2800000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Analysis Process: Product List.exe PID: 1928 Parent PID: 3488

                                                  General

                                                  Start time:13:53:06
                                                  Start date:23/02/2021
                                                  Path:C:\Users\user\Desktop\Product List.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\Product List.exe
                                                  Imagebase:0x2a0000
                                                  File size:578048 bytes
                                                  MD5 hash:DF1A8E7FFA630DB4A9FA38ABAEC4C0D2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  Analysis Process: Product List.exe PID: 3152 Parent PID: 3488

                                                  General

                                                  Start time:13:53:06
                                                  Start date:23/02/2021
                                                  Path:C:\Users\user\Desktop\Product List.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\Product List.exe
                                                  Imagebase:0x8e0000
                                                  File size:578048 bytes
                                                  MD5 hash:DF1A8E7FFA630DB4A9FA38ABAEC4C0D2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.470702532.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.465877496.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >