Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ST_PLC URGENT ORDER 0223308737,pdf.exe

Overview

General Information

Sample Name:ST_PLC URGENT ORDER 0223308737,pdf.exe
Analysis ID:356838
MD5:49b05de1926be1ea5993874ad14c8d3a
SHA1:92caf8d81c1cddab1e799d730b6f31b8820bdef5
SHA256:f5a3420b7aa30f99c877d5a661625e37b79841f4bc99bd17a75d46eb86e4791d
Tags:exeSnakeKeylogger
Infos:

Most interesting Screenshot:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
PE file contains section with special chars
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected Beds Obfuscator
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@endovision.xyzr)($czxJs0smtp.endovision.xyz"}}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
    00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmpJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
        00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256JoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
              9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                  0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
                    0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpackJoeSecurity_BedsObfuscatorYara detected Beds ObfuscatorJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "info@endovision.xyzr)($czxJs0smtp.endovision.xyz"}}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeReversingLabs: Detection: 31%
                      Machine Learning detection for sampleShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeJoe Sandbox ML: detected
                      Source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen
                      Source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.190000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49726 version: TLS 1.0
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h

                      Networking:

                      barindex
                      May check the online IP address of the machineShow sources
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: unknownDNS query: name: checkip.dyndns.org
                      Source: Joe Sandbox ViewIP Address: 216.146.43.70 216.146.43.70
                      Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49726 version: TLS 1.0
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                      Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509435893.00000000031FD000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB:l0A
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8ok
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240592808.0000000007CA5000.00000004.00000001.sdmpString found in binary or memory: http://en.wU
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.323215970.0000000007CA0000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.t
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241379781.0000000007CAA000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comits)
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241183518.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comue
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmp, ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240840157.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240789901.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240451930.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnold
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240657129.0000000007CDE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241159879.0000000007CDF000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnva
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.38x
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4okl
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509675871.000000000322C000.00000004.00000001.sdmp, ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509435893.00000000031FD000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: ST_PLC URGENT ORDER 0223308737,pdf.exe
                      PE file contains section with special charsShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name: qd?b#D
                      PE file has nameless sectionsShow sources
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA24F0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA2C61
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA19B7
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA4518
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA0509
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BAA6F0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA3639
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA68B8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA54A0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA5491
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA68C8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA4431
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA244F
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA6D40
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA66B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA66C0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA43F9
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA43D5
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA6B30
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA6B40
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A3258
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AA298
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A0E50
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AA5B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A63D8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A28D8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AB958
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AB949
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A0E40
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A1680
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023AA5A0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B6130
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B611F
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016281B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_01620582
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0162B2B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_01627B89
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_01624630
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_01621039
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_01621552
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_016259E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06838E88
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068386A0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06837EB8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068376D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06836EE8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683B610
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683CE20
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683AE28
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683C638
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683A640
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06839E58
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06839670
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06835780
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06834F98
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068347B0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06833FC8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_068337E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683D7E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06832FF8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06836700
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06835F68
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683BDF8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683F0F8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06830040
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E980
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E1D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06836ED7
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06839612
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06838E29
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06838640
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06837E5A
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06837670
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06833781
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683D7D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06832FE8
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06835F08
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06835721
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06834F38
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06836750
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06834750
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06833F68
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683C589
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683BD99
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683B5B2
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683CDC0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683ADC9
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683A5E0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06839DF9
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683F098
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E8D0
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06830007
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_0683E180
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.325052772.00000000026AB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGALJS2L7.exe4 vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000000.233357926.00000000001FE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameY vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324869005.0000000002651000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.503626683.0000000000C6E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameY vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.503246705.0000000000466000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGALJS2L7.exe4 vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.503854673.00000000010F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeBinary or memory string: OriginalFilenameY vs ST_PLC URGENT ORDER 0223308737,pdf.exe
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: Section: qd?b#D ZLIB complexity 1.00040910051
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ST_PLC URGENT ORDER 0223308737,pdf.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeReversingLabs: Detection: 31%
                      Source: unknownProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe 'C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe {path}
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe {path}
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name: qd?b#D
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023A9556 push A4E94827h; iretd
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023BE39D push FFFFFF8Bh; iretd
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B6E4E push ebp; ret
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_023B6F19 push FFFFFF8Bh; iretd
                      Source: initial sampleStatic PE information: section name: qd?b#D entropy: 7.99769775695
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.94788728273
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected Beds ObfuscatorShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe TID: 6292Thread sleep time: -45000s >= -30000s
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe TID: 6280Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess information queried: ProcessInformation

                      Anti Debugging:

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)Show sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 0_2_00BA1798 CheckRemoteDebuggerPresent,
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeCode function: 9_2_06832D50 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeMemory written: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeProcess created: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe {path}
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.507743136.0000000001A00000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected Snake KeyloggerShow sources
                      Source: Yara matchFile source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656, type: MEMORY
                      Source: Yara matchFile source: 9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.36fb770.3.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection112Masquerading1OS Credential Dumping1Security Software Discovery11Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing4Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ST_PLC URGENT ORDER 0223308737,pdf.exe32%ReversingLabsWin32.Trojan.AgentTesla
                      ST_PLC URGENT ORDER 0223308737,pdf.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      9.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.400000.0.unpack100%AviraTR/Spy.GenDownload File
                      0.2.ST_PLC URGENT ORDER 0223308737,pdf.exe.190000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      freegeoip.app0%VirustotalBrowse
                      checkip.dyndns.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.carterandcone.comits)0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.carterandcone.comva0%URL Reputationsafe
                      http://www.carterandcone.comva0%URL Reputationsafe
                      http://www.carterandcone.comva0%URL Reputationsafe
                      http://www.founder.com.cn/cnv-s0%Avira URL Cloudsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app0%URL Reputationsafe
                      http://checkip.dyndns.org/HB:l0A0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://en.wU0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.founder.com.cn/cnC0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://checkip.dyndns.org/0%Avira URL Cloudsafe
                      http://www.agfamonotype.t0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.fontbureau.comgrito0%URL Reputationsafe
                      http://www.founder.com.cn/cnn-u0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://checkip.dyndns.com0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      http://freegeoip.app0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      https://freegeoip.app/xml/0%URL Reputationsafe
                      http://www.founder.com.cn/cnold0%Avira URL Cloudsafe
                      http://www.fontbureau.comue0%Avira URL Cloudsafe
                      http://checkip.dyndns.org0%Avira URL Cloudsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.38x0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      https://freegeoip.app/xml/LoadCountryNameClipboard0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cnva0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      https://freegeoip.app/xml/84.17.52.380%URL Reputationsafe
                      http://checkip.dyndns.orgD8ok0%Avira URL Cloudsafe
                      https://freegeoip.app4okl0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      freegeoip.app
                      		104.21.19.200
                      		truefalseunknown
                      checkip.dyndns.com
                      		216.146.43.70
                      		truefalseunknown
                      checkip.dyndns.org
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.fontbureau.com/designersGST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                          		high
                          http://www.carterandcone.comits)ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241379781.0000000007CAA000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.com/designers/?ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                              		high
                              http://www.carterandcone.comvaST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241183518.0000000007CDE000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnv-sST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240657129.0000000007CDE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://freegeoip.appST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://checkip.dyndns.org/HB:l0AST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://en.wUST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240592808.0000000007CA5000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnCST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240451930.0000000007CDE000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sajatypeworks.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.agfamonotype.tST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.323215970.0000000007CA0000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comgritoST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cnn-uST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fonts.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://checkip.dyndns.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509435893.00000000031FD000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sakkal.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://freegeoip.appST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://freegeoip.app/xml/ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fontbureau.comST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnoldST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comueST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.324374669.0000000000BD7000.00000004.00000040.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://checkip.dyndns.orgST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://freegeoip.app/xml/84.17.52.38xST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://freegeoip.app/xml/LoadCountryNameClipboardST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509245572.00000000031B1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240789901.0000000007CDE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240625033.0000000007CBB000.00000004.00000001.sdmp, ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.240840157.0000000007CDE000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.zhongyicts.com.cnvaST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000003.241159879.0000000007CDF000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000000.00000002.333635479.0000000007D90000.00000002.00000001.sdmpfalse
                                                		high
                                                https://freegeoip.app/xml/84.17.52.38ST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://checkip.dyndns.orgD8okST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://freegeoip.app4oklST_PLC URGENT ORDER 0223308737,pdf.exe, 00000009.00000002.509508033.0000000003206000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                216.146.43.70
                                                		unknownUnited States
                                                		33517DYNDNSUSfalse
                                                104.21.19.200
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox Version:31.0.0 Emerald
                                                Analysis ID:356838
                                                Start date:23.02.2021
                                                Start time:17:36:45
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 7m 42s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:26
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                                EGA Information:Failed
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 97%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.42.151.234, 51.11.168.160, 40.88.32.150, 13.88.21.125, 104.43.139.144, 23.211.6.115, 23.218.208.56, 52.147.198.201, 2.20.142.210, 2.20.142.209, 8.253.207.120, 8.248.97.254, 8.238.85.126, 8.241.80.126, 8.248.115.254, 51.103.5.186, 51.104.139.180, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129
                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                17:37:44API Interceptor1x Sleep call for process: ST_PLC URGENT ORDER 0223308737,pdf.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                216.146.43.70QUOTE.docGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                DHL Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                SecuriteInfo.com.Trojan.Inject4.6572.13919.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                ORDER PURCHASE ITEMS.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                SwiftCopyTT.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                purchase order.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                purchase order.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                Product Specification#742852.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                PO-SCHF-CCM_NFI_FSL-RED-20-01 001-A.PDF.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                DHL_Receipt Document_7368638172,pdf.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                pay09809988.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                Medisave Order 180827.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                New_Order.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                PO on demand 4000270283-B60.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                PO.xlsGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                Quotes.xlsmGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                Purchase Orde.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/
                                                DHL_FORM_16022021.exeGet hashmaliciousBrowse
                                                • checkip.dyndns.org/

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                checkip.dyndns.comP00760000.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                Order.docGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                QUOTE.docGet hashmaliciousBrowse
                                                • 216.146.43.70
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 216.146.43.70
                                                IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                v2.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 216.146.43.71
                                                Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.161.70
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                freegeoip.appP00760000.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Order.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                QUOTE.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                v2.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • 172.67.188.154

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                DYNDNSUSP00760000.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                Order.docGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                QUOTE.docGet hashmaliciousBrowse
                                                • 216.146.43.70
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 216.146.43.70
                                                IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                v2.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 216.146.43.71
                                                Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.161.70
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                • 131.186.113.70
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • 162.88.193.70
                                                CLOUDFLARENETUSSecuriteInfo.com.Trojan.GenericKD.45695593.9197.exeGet hashmaliciousBrowse
                                                • 172.67.199.58
                                                SecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                                • 104.23.98.190
                                                1vuet1S3tI.exeGet hashmaliciousBrowse
                                                • 172.67.199.58
                                                P00760000.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Order.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                QUOTE.docGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                2070121_SN-WS.exeGet hashmaliciousBrowse
                                                • 104.21.71.230
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                payment_advice.docGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                IMG_57109_Scanned.docGet hashmaliciousBrowse
                                                • 172.67.188.154
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                New Order 2300030317388 InterMetro.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                CN-Invoice-XXXXX9808-19011143287989.exeGet hashmaliciousBrowse
                                                • 172.67.172.17
                                                Purchase Order list.exeGet hashmaliciousBrowse
                                                • 104.21.23.61
                                                RkoKlvuLh6.exeGet hashmaliciousBrowse
                                                • 162.159.136.232
                                                i0fOtOV8v0.exeGet hashmaliciousBrowse
                                                • 104.23.99.190
                                                P3knxzE7wN.exeGet hashmaliciousBrowse
                                                • 162.159.128.233

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                54328bd36c14bd82ddaa0c04b25ed9adSecuriteInfo.com.Trojan.Siggen12.2497.1023.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                P00760000.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Shipment Notification 6368638172.pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Purchase Order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                dot crypted.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                v2.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Halkbank_Ekstre_20210223_082357_541079.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                FOB offer_1164087223_I0133P2100363812.PDF.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                PURCHASE ORDER CONFIRMATION.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                Yao Han Industries 61007-51333893QR001U,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                (appproved)WJO-TT180,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                9073782912,pdf.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                SOS URGENT RFQ #2345.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                purchase order 1.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                telex transfer.exeGet hashmaliciousBrowse
                                                • 104.21.19.200
                                                GPP.exeGet hashmaliciousBrowse
                                                • 104.21.19.200

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ST_PLC URGENT ORDER 0223308737,pdf.exe.log
                                                Process:C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.355304211458859
                                                Encrypted:false
                                                SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzr
                                                MD5:B666A4404B132B2BF6C04FBF848EB948
                                                SHA1:D2EFB3D43F8B8806544D3A47F7DAEE8534981739
                                                SHA-256:7870616D981C8C0DE9A54E7383CD035470DB20CBF75ACDF729C32889D4B6ED96
                                                SHA-512:00E955EE9F14CEAE07E571A8EF2E103200CF421BAE83A66ED9F9E1AA6A9F449B653EDF1BFDB662A364D58ECF9B5FE4BB69D590DB2653F2F46A09F4D47719A862
                                                Malicious:true
                                                Reputation:moderate, very likely benign file
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.9094410868579645
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                • Win32 Executable (generic) a (10002005/4) 49.96%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                File size:451584
                                                MD5:49b05de1926be1ea5993874ad14c8d3a
                                                SHA1:92caf8d81c1cddab1e799d730b6f31b8820bdef5
                                                SHA256:f5a3420b7aa30f99c877d5a661625e37b79841f4bc99bd17a75d46eb86e4791d
                                                SHA512:03f249e4037b9ca54a278b2179bb41d13635c11e1c5ac9e553850963953eaae9e06e9d130424afd599792949f611491a6efa203d17f02c31add73695171247da
                                                SSDEEP:12288:205SiHsQ5WL82LHE4NnJRbDJ51n4OhNl2Eo6:2qHRWLjHNLX1VNk
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4`..............0..l...t.......`...`... ....@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00870c0808c44c00

                                                Static PE Info

                                                General

                                                Entrypoint:0x47600a
                                                Entrypoint Section:
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x6034FDA3 [Tue Feb 23 13:05:39 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00476000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x169880x53.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6e0000x48c8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x760000x8
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x160000x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                qd?b#D0x20000x126dc0x12800False1.00040910051data7.99769775695IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .text0x160000x569200x56a00False0.935518691378data7.94788728273IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x6e0000x48c80x4a00False0.250369510135data3.76229374867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x740000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                0x760000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x6e1300x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4294967295, next used block 4294967295
                                                RT_GROUP_ICON0x723580x14data
                                                RT_VERSION0x7236c0x36cdata
                                                RT_MANIFEST0x726d80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright Neudesic 2017
                                                Assembly Version1.0.0.0
                                                InternalNameYGxk.exe
                                                FileVersion1.0.0.0
                                                CompanyNameNeudesic
                                                LegalTrademarks
                                                Comments
                                                ProductNameVectorBasedDrawing
                                                ProductVersion1.0.0.0
                                                FileDescriptionVectorBasedDrawing
                                                OriginalFilenameYGxk.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 23, 2021 17:38:20.893306971 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:20.966469049 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:20.966756105 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:20.967432022 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.040594101 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.041201115 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.041230917 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.041450977 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.044296980 CET4972380192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.117485046 CET8049723216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.237832069 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.310719967 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.311430931 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.311459064 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.387285948 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.387928963 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.387953997 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:21.388036966 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.388557911 CET4972480192.168.2.7216.146.43.70
                                                Feb 23, 2021 17:38:21.461718082 CET8049724216.146.43.70192.168.2.7
                                                Feb 23, 2021 17:38:24.081542015 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.122629881 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.122745037 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.197956085 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.243032932 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.243081093 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.243105888 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.243175030 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.256527901 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.297560930 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.299608946 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.412383080 CET49726443192.168.2.7104.21.19.200
                                                Feb 23, 2021 17:38:24.453402996 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.574615955 CET44349726104.21.19.200192.168.2.7
                                                Feb 23, 2021 17:38:24.678195000 CET49726443192.168.2.7104.21.19.200

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Feb 23, 2021 17:37:28.765932083 CET5856253192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:28.840821981 CET53585628.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:28.899852037 CET5659053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:29.343880892 CET6050153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:29.392760992 CET53605018.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:29.893305063 CET5659053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:29.942009926 CET53565908.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:31.164011955 CET5377553192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:31.217535019 CET53537758.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:31.971314907 CET5183753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:32.021707058 CET53518378.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:33.292634010 CET5541153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:33.341347933 CET53554118.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:35.572705030 CET6366853192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:35.631392956 CET53636688.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:38.290208101 CET5464053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:38.338884115 CET53546408.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:39.756915092 CET5873953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:39.805471897 CET53587398.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:40.927508116 CET6033853192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:40.976974964 CET53603388.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:42.262983084 CET5871753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:42.311651945 CET53587178.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:43.446369886 CET5976253192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:43.495011091 CET53597628.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:44.831759930 CET5432953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:44.889130116 CET53543298.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:46.029300928 CET5805253192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:46.078305006 CET53580528.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:47.481002092 CET5400853192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:47.529805899 CET53540088.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:48.777369976 CET5945153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:48.828838110 CET53594518.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:49.919188976 CET5291453192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:49.968007088 CET53529148.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:52.318013906 CET6456953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:52.379735947 CET53645698.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:54.380870104 CET5281653192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:54.440943956 CET53528168.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:55.529963970 CET5078153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:55.581351995 CET53507818.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:57.132116079 CET5423053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:57.183653116 CET53542308.8.8.8192.168.2.7
                                                Feb 23, 2021 17:37:58.434371948 CET5491153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:37:58.483202934 CET53549118.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:01.095828056 CET4995853192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:01.144601107 CET53499588.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:02.097351074 CET5086053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:02.148971081 CET53508608.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:03.843122959 CET5045253192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:03.894375086 CET53504528.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:20.714721918 CET5973053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:20.763413906 CET53597308.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:20.802294970 CET5931053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:20.853791952 CET53593108.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:24.002441883 CET5191953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:24.029129028 CET6429653192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:24.061353922 CET53519198.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:24.078514099 CET53642968.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:24.195754051 CET5668053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:24.213799953 CET5882053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:24.258230925 CET53566808.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:24.266051054 CET53588208.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:25.708842039 CET6098353192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:25.760257959 CET53609838.8.8.8192.168.2.7
                                                Feb 23, 2021 17:38:38.326183081 CET4924753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:38:38.384884119 CET53492478.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:13.896173954 CET5228653192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:13.946187973 CET53522868.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:16.795876980 CET5606453192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:16.864464045 CET53560648.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:36.137834072 CET6374453192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:36.197748899 CET53637448.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:37.202028990 CET6145753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:37.267780066 CET53614578.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:37.856884956 CET5836753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:37.946634054 CET53583678.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:38.473057985 CET6059953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:38.526653051 CET5957153192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:38.550015926 CET53605998.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:38.583594084 CET53595718.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:39.255326033 CET5268953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:39.312680006 CET53526898.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:39.935694933 CET5029053192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:40.023211956 CET53502908.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:40.629940987 CET6042753192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:40.689760923 CET53604278.8.8.8192.168.2.7
                                                Feb 23, 2021 17:39:41.575957060 CET5620953192.168.2.78.8.8.8
                                                Feb 23, 2021 17:39:41.638529062 CET53562098.8.8.8192.168.2.7

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Feb 23, 2021 17:38:20.714721918 CET192.168.2.78.8.8.80x9b1eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.802294970 CET192.168.2.78.8.8.80xfa3cStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:24.029129028 CET192.168.2.78.8.8.80xef52Standard query (0)freegeoip.appA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.763413906 CET8.8.8.8192.168.2.70x9b1eNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com216.146.43.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com131.186.161.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com162.88.193.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com131.186.113.70A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:20.853791952 CET8.8.8.8192.168.2.70xfa3cNo error (0)checkip.dyndns.com216.146.43.71A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:24.078514099 CET8.8.8.8192.168.2.70xef52No error (0)freegeoip.app104.21.19.200A (IP address)IN (0x0001)
                                                Feb 23, 2021 17:38:24.078514099 CET8.8.8.8192.168.2.70xef52No error (0)freegeoip.app172.67.188.154A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • checkip.dyndns.org

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.749723216.146.43.7080C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 23, 2021 17:38:20.967432022 CET971OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Connection: Keep-Alive
                                                Feb 23, 2021 17:38:21.041201115 CET972INHTTP/1.1 200 OK
                                                Content-Type: text/html
                                                Server: DynDNS-CheckIP/1.0.1
                                                Connection: close
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Content-Length: 103
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.749724216.146.43.7080C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                TimestampkBytes transferredDirectionData
                                                Feb 23, 2021 17:38:21.311459064 CET976OUTGET / HTTP/1.1
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                Host: checkip.dyndns.org
                                                Feb 23, 2021 17:38:21.387928963 CET976INHTTP/1.1 200 OK
                                                Content-Type: text/html
                                                Server: DynDNS-CheckIP/1.0.1
                                                Connection: close
                                                Cache-Control: no-cache
                                                Pragma: no-cache
                                                Content-Length: 103
                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 38 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.38</body></html>


                                                HTTPS Packets

                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                Feb 23, 2021 17:38:24.243105888 CET104.21.19.200443192.168.2.749726CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                Code Manipulations

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 6256 Parent PID: 5708

                                                General

                                                Start time:17:37:36
                                                Start date:23/02/2021
                                                Path:C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe'
                                                Imagebase:0x7fffae0c0000
                                                File size:451584 bytes
                                                MD5 hash:49B05DE1926BE1EA5993874AD14C8D3A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.326366120.0000000003651000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Analysis Process: ST_PLC URGENT ORDER 0223308737,pdf.exe PID: 5656 Parent PID: 6256

                                                General

                                                Start time:17:38:18
                                                Start date:23/02/2021
                                                Path:C:\Users\user\Desktop\ST_PLC URGENT ORDER 0223308737,pdf.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0x7fffae0c0000
                                                File size:451584 bytes
                                                MD5 hash:49B05DE1926BE1EA5993874AD14C8D3A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.502527744.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Disassembly

                                                Code Analysis

                                                Reset < >