Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO# 6100003560, items 00090 and 00100.exe

Overview

General Information

Sample Name:PO# 6100003560, items 00090 and 00100.exe
Analysis ID:553253
MD5:6181e56a727d1a622764b93f44847b55
SHA1:35d223985c50bce16e09c4465627dfadff775ced
SHA256:9c252952a81c86f0d5b5206b35d84a446dd85322f64bafc1b082337ba738f291
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "humhum@nutiribio.com", "Password": "zGNVO(l5", "Host": "smtp.nutiribio.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "humhum@nutiribio.com", "Password": "zGNVO(l5", "Host": "smtp.nutiribio.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PO# 6100003560, items 00090 and 00100.exeVirustotal: Detection: 43%Perma Link
                      Source: PO# 6100003560, items 00090 and 00100.exeReversingLabs: Detection: 27%
                      Machine Learning detection for sampleShow sources
                      Source: PO# 6100003560, items 00090 and 00100.exeJoe Sandbox ML: detected
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.2.PO# 6100003560, items 00090 and 00100.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: ConstructorReturnMessa.pdb source: PO# 6100003560, items 00090 and 00100.exe
                      Source: Binary string: ConstructorReturnMessa.pdbH source: PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: http://MBStZn.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commito
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: PO# 6100003560, items 00090 and 00100.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bA23A83EAu002dA498u002d4AEFu002dBB16u002dCCD2EDE07471u007d/A33BCC3Du002d23D1u002d407Du002d9507u002d8DF915F9F7E3.csLarge array initialization: .cctor: array initializer size 11775
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_003C6AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6C994
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6EDD8
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6EDC9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 4_2_002E6AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 6_2_00226AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 7_2_000A6AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00B16AB9
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD1878
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD7948
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FDBFA8
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD8818
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD876A
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FD0738
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_014D46A0
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_014D45D0
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702898417.0000000006E00000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696087469.00000000003C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000004.00000000.684019444.00000000002E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000006.00000000.687471583.0000000000222000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000007.00000000.689037100.00000000000A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilename vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000000.691670315.0000000000B12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.931375320.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameOhdryIYKwtfOhFKUvICmEItYgptrtNr.exe4 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.931555930.0000000000F38000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeBinary or memory string: OriginalFilenameConstructorReturnMessa.exe0 vs PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: PO# 6100003560, items 00090 and 00100.exeVirustotal: Detection: 43%
                      Source: PO# 6100003560, items 00090 and 00100.exeReversingLabs: Detection: 27%
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe "C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe"
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO# 6100003560, items 00090 and 00100.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/1@0/0
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: PO# 6100003560, items 00090 and 00100.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: ConstructorReturnMessa.pdb source: PO# 6100003560, items 00090 and 00100.exe
                      Source: Binary string: ConstructorReturnMessa.pdbH source: PO# 6100003560, items 00090 and 00100.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: PO# 6100003560, items 00090 and 00100.exe, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.2.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.3.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.2.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.2.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.3.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.3.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.2.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 8.2.PO# 6100003560, items 00090 and 00100.exe.b10000.1.unpack, yH/xi.cs.Net Code: cL System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: PO# 6100003560, items 00090 and 00100.exe, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 0.0.PO# 6100003560, items 00090 and 00100.exe.3c0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.2.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.2.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 4.0.PO# 6100003560, items 00090 and 00100.exe.2e0000.3.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.2.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.2.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 6.0.PO# 6100003560, items 00090 and 00100.exe.220000.3.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.3.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.2.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.2.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 7.0.PO# 6100003560, items 00090 and 00100.exe.a0000.0.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 8.2.PO# 6100003560, items 00090 and 00100.exe.b10000.1.unpack, yH/xi.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B6D0F8 push 3C04C2C3h; ret
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B69288 pushfd ; retn 0004h
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 0_2_00B63E41 push edx; retn 0004h
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_0136D95C push eax; ret
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_0136E332 push eax; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.23335914978
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile created: \po# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.272f86c.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.2776894.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.2737878.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 7120, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 7124Thread sleep time: -38628s >= -30000s
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 7156Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 5564Thread sleep time: -12912720851596678s >= -30000s
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 3080Thread sleep count: 2971 > 30
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe TID: 3080Thread sleep count: 6893 > 30
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWindow / User API: threadDelayed 2971
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWindow / User API: threadDelayed 6893
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 38628
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeThread delayed: delay time: 922337203685477
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeCode function: 8_2_00FDCF70 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeMemory written: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeProcess created: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932334947.0000000001880000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.PO# 6100003560, items 00090 and 00100.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3763cf8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3763cf8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.694460760.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.693491204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.931334494.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.932648728.0000000002FE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 7120, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 3112, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 3112, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.PO# 6100003560, items 00090 and 00100.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3763cf8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.0.PO# 6100003560, items 00090 and 00100.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3763cf8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PO# 6100003560, items 00090 and 00100.exe.3799318.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.694460760.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000000.693491204.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.931334494.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.932648728.0000000002FE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 7120, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PO# 6100003560, items 00090 and 00100.exe PID: 3112, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery114SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing23DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PO# 6100003560, items 00090 and 00100.exe43%VirustotalBrowse
                      PO# 6100003560, items 00090 and 00100.exe28%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      PO# 6100003560, items 00090 and 00100.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      8.2.PO# 6100003560, items 00090 and 00100.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      8.0.PO# 6100003560, items 00090 and 00100.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.fontbureau.commito0%Avira URL Cloudsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://MBStZn.com0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.apache.org/licenses/LICENSE-2.0PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                        high
                        http://www.fontbureau.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpfalse
                          high
                          http://www.fontbureau.com/designersGPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                            high
                            http://DynDns.comDynDNSPO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers/?PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                              high
                              http://www.founder.com.cn/cn/bThePO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designers?PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                high
                                http://www.tiro.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designersPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.goodfont.co.krPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.commitoPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.fontbureau.comaPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.696933408.0000000000D57000.00000004.00000040.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.carterandcone.comlPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.sajatypeworks.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.typography.netDPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cn/cThePO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://fontfabrik.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cnPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers/frere-user.htmlPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.jiyu-kobo.co.jp/PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://MBStZn.comPO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.galapagosdesign.com/DPleasePO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers8PO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                        high
                                        https://api.ipify.org%GETMozilla/5.0PO# 6100003560, items 00090 and 00100.exe, 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        low
                                        http://www.fonts.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.sandoll.co.krPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.urwpp.deDPleasePO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.zhongyicts.com.cnPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://www.sakkal.comPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.702657840.00000000068F2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPO# 6100003560, items 00090 and 00100.exe, 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, PO# 6100003560, items 00090 and 00100.exe, 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown

                                          Contacted IPs

                                          No contacted IP infos

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:553253
                                          Start date:14.01.2022
                                          Start time:15:06:23
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 11m 11s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:PO# 6100003560, items 00090 and 00100.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:19
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@9/1@0/0
                                          EGA Information:
                                          • Successful, ratio: 40%
                                          HDC Information:
                                          • Successful, ratio: 0.3% (good quality ratio 0.1%)
                                          • Quality average: 18.4%
                                          • Quality standard deviation: 31%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Execution Graph export aborted for target PO# 6100003560, items 00090 and 00100.exe, PID 1000 because there are no executed function
                                          • Execution Graph export aborted for target PO# 6100003560, items 00090 and 00100.exe, PID 1444 because there are no executed function
                                          • Execution Graph export aborted for target PO# 6100003560, items 00090 and 00100.exe, PID 4780 because there are no executed function
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:07:27API Interceptor736x Sleep call for process: PO# 6100003560, items 00090 and 00100.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO# 6100003560, items 00090 and 00100.exe.log
                                          Process:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1310
                                          Entropy (8bit):5.345651901398759
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                          MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                          SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                          SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                          SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.219699789114028
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:PO# 6100003560, items 00090 and 00100.exe
                                          File size:590336
                                          MD5:6181e56a727d1a622764b93f44847b55
                                          SHA1:35d223985c50bce16e09c4465627dfadff775ced
                                          SHA256:9c252952a81c86f0d5b5206b35d84a446dd85322f64bafc1b082337ba738f291
                                          SHA512:982fad5e912da6016ad49ea29c5d05362bafa1d6bd9024c86ccac30a1b49e01b667666f5eccb4b7c3a4b7f2aafe03439f582c1ddc552454392f013166c14b009
                                          SSDEEP:12288:pPIK777777777777N7FPlJOS4ww6Ug2gws8+Ww/JiR:pPIK777777777777lFjOSfV2P+Ww/8R
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>7.a............................n.... ... ....@.. .......................`............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x49146e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61E1373E [Fri Jan 14 08:41:34 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x914200x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x604.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x913c20x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x8f4740x8f600False0.755004563535data7.23335914978IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x920000x6040x800False0.33447265625data3.41525161764IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x940000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x920a00x376data
                                          RT_MANIFEST0x924180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyright2022 Tradewell
                                          Assembly Version22.0.0.0
                                          InternalNameConstructorReturnMessa.exe
                                          FileVersion1.1.0.0
                                          CompanyNameTradewell ltd
                                          LegalTrademarks
                                          CommentsPurple Org
                                          ProductNameBlaster
                                          ProductVersion1.1.0.0
                                          FileDescriptionBlaster
                                          OriginalFilenameConstructorReturnMessa.exe

                                          Network Behavior

                                          No network behavior found

                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Start time:15:07:19
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe"
                                          Imagebase:0x3c0000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.697012904.0000000002701000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.697067441.000000000274C000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.698577528.0000000003709000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Start time:15:07:28
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Imagebase:0x2e0000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          General

                                          Start time:15:07:29
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Imagebase:0x220000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          General

                                          Start time:15:07:30
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Imagebase:0xa0000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          General

                                          Start time:15:07:31
                                          Start date:14/01/2022
                                          Path:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\PO# 6100003560, items 00090 and 00100.exe
                                          Imagebase:0xb10000
                                          File size:590336 bytes
                                          MD5 hash:6181E56A727D1A622764B93F44847B55
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.693932970.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.693014706.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.932514669.0000000002F31000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.932648728.0000000002FE2000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.694460760.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.694460760.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000000.693491204.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000000.693491204.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.931334494.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.931334494.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Disassembly

                                          Code Analysis

                                          Reset < >