Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO# 6100003560, items 00090 and 00100.exe

Overview

General Information

Sample Name:PO# 6100003560, items 00090 and 00100.exe
Analysis ID:553253
MD5:6181e56a727d1a622764b93f44847b55
SHA1:35d223985c50bce16e09c4465627dfadff775ced
SHA256:9c252952a81c86f0d5b5206b35d84a446dd85322f64bafc1b082337ba738f291
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "humhum@nutiribio.com", "Password": "zGNVO(l5", "Host": "smtp.nutiribio.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "humhum@nutiribio.com", "Password": "zGNVO(l5", "Host": "smtp.nutiribio.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PO# 6100003560, items 00090 and 00100.exeVirustotal: Detection: 43%Perma Link
                      Source: PO# 6100003560, items 00090 and 00100.exeReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: PO# 6100003560, items 00090 and 00100.exeJoe Sandbox ML: detected
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.PO# 6100003560, items 00090 and 00100.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: ConstructorReturnMessa.pdb source: PO# 6100003560, items 00090 and 00100.exe
                      Source: Binary string: ConstructorReturnMessa.pdbH source: PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://MBStZn.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commito
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: PO# 6100003560, items 00090 and 00100.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bA23A83EAu002dA498u002d4AEFu002dBB16u002dCCD2EDE07471u007d/A33BCC3Du002d23D1u002d407Du002d9507u002d8DF915F9F7E3.csLarge array initialization: .cctor: array initializer size 11775
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_003C6AB90_2_003C6AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6C9940_2_00B6C994
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6EDD80_2_00B6EDD8
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6EDC90_2_00B6EDC9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 4_2_002E6AB94_2_002E6AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 6_2_00226AB96_2_00226AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 7_2_000A6AB97_2_000A6AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00B16AB98_2_00B16AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD18788_2_00FD1878
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD79488_2_00FD7948
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FDBFA88_2_00FDBFA8
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD88188_2_00FD8818
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD876A8_2_00FD876A
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD07388_2_00FD0738
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_014D46A08_2_014D46A0
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_014D45D08_2_014D45D0
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702898417.0000000006E00000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696087469.00000000003C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000004.00000000.684019444.00000000002E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000006.00000000.687471583.0000000000222000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000007.00000000.689037100.00000000000A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000000.691670315.0000000000B12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.931375320.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.931555930.0000000000F38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PO# 6100003560, items 00090 and 00100.exeVirustotal: Detection: 43%
                      Source: PO# 6100003560, items 00090 and 00100.exeReversingLabs: Detection: 27%
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe "C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe"
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO# 6100003560, items 00090 and 00100.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/1@0/0
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ConstructorReturnMessa.pdb source: PO# 6100003560, items 00090 and 00100.exe
                      Source: Binary string: ConstructorReturnMessa.pdbH source: PO# 6100003560, items 00090 and 00100.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: PO# 6100003560, items 00090 and 00100.exe, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.2.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.3.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.2.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.2.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.3.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.3.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.2.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 8.2.PO# 6100003560, items 00090 and 00100.exe.b10000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: PO# 6100003560, items 00090 and 00100.exe, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.0.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.2.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.2.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.3.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.2.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.2.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.3.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.3.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.2.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.2.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 8.2.PO# 6100003560, items 00090 and 00100.exe.b10000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6D0F8 push 3C04C2C3h; ret 0_2_00B6D0FD
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B69288 pushfd ; retn 0004h0_2_00B694DA
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B63E41 push edx; retn 0004h0_2_00B63E42
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_0136D95C push eax; ret 8_2_0136D95D
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_0136E332 push eax; ret 8_2_0136E349
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23335914978
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.272f86c.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.2776894.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.2737878.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 7120, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 7124Thread sleep time: -38628s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 5564Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 3080Thread sleep count: 2971 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 3080Thread sleep count: 6893 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWindow / User API: threadDelayed 2971Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWindow / User API: threadDelayed 6893Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 38628Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FDCF70 LdrInitializeThunk,8_2_00FDCF70
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeMemory written: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeJump to behavior
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation