Windows Analysis Report
PO 059420.exe

Overview

General Information

Sample Name: PO 059420.exe
Analysis ID: 715096
MD5: 139deb18239c1db30775b256717b91a6
SHA1: 3539a4b24d8f5b601d99a2239f5f18e17cd5fb04
SHA256: 5f2a513bb02d1432e658ac0d65327d0ed56f6a4f1e014de8e4ff50fcf738ca93
Tags: exeJustClickAm-com
Infos:

Detection

NetWire
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected NetWire RAT
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PO 059420.exe ReversingLabs: Detection: 38%
Source: PO 059420.exe Virustotal: Detection: 32% Perma Link
Antivirus detection for URL or domain
Source: 37.0.14.206:3384 Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: 37.0.14.206:3384 Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Install\Host.exe ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exe ReversingLabs: Detection: 38%
Machine Learning detection for sample
Source: PO 059420.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Joe Sandbox ML: detected
Source: 0.2.PO 059420.exe.4037e10.2.raw.unpack Malware Configuration Extractor: NetWire {"C2 list": ["37.0.14.206:3384"], "Password": "Password234", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-"}
Uses 32bit PE files
Source: PO 059420.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: PO 059420.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2837546 ETPRO TROJAN Netwire RAT Check-in 37.0.14.206:3384 -> 192.168.2.5:49705
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 37.0.14.206:3384
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WKD-ASIE WKD-ASIE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 37.0.14.206 37.0.14.206
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 37.0.14.206:3384
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.206
Source: unknown TCP traffic detected without corresponding DNS query: 37.0.14.206
Source: PO 059420.exe, 00000000.00000003.300372827.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: PO 059420.exe, 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO 059420.exe, 00000000.00000003.308588551.0000000005DE3000.00000004.00000800.00020000.00000000.sdmp, PO 059420.exe, 00000000.00000003.320972707.0000000005DE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: PO 059420.exe, 00000000.00000003.308588551.0000000005DE3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comceta
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp, PO 059420.exe, 00000000.00000003.303542763.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, PO 059420.exe, 00000000.00000003.303559818.0000000005DE5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PO 059420.exe, 00000000.00000003.303542763.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/4
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO 059420.exe, 00000000.00000003.306696235.0000000005DF9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PO 059420.exe, 00000000.00000003.301319980.0000000005DFB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comg
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.323643134.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.564992152.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: PO 059420.exe PID: 1916, type: MEMORYSTR Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Host.exe PID: 4140, type: MEMORYSTR Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: PO 059420.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000003.00000002.323643134.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.564992152.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: PO 059420.exe PID: 4600, type: MEMORYSTR Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: PO 059420.exe PID: 1916, type: MEMORYSTR Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Host.exe PID: 5188, type: MEMORYSTR Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
Source: Process Memory Space: Host.exe PID: 4140, type: MEMORYSTR Matched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0133D7F4 0_2_0133D7F4
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0133E1E0 0_2_0133E1E0
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0133E1DE 0_2_0133E1DE
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0133B974 0_2_0133B974
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0133FC51 0_2_0133FC51
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_07824E70 0_2_07824E70
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782ED88 0_2_0782ED88
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_07828B80 0_2_07828B80
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782D710 0_2_0782D710
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_078255D8 0_2_078255D8
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_07827558 0_2_07827558
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782E5C8 0_2_0782E5C8
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782E5D8 0_2_0782E5D8
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782ED78 0_2_0782ED78
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782CCE0 0_2_0782CCE0
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782F341 0_2_0782F341
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782F350 0_2_0782F350
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782BE5B 0_2_0782BE5B
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0782BE68 0_2_0782BE68
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085DFCF8 0_2_085DFCF8
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D2D00 0_2_085D2D00
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D3F88 0_2_085D3F88
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D5570 0_2_085D5570
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085DD5D0 0_2_085DD5D0
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D47D8 0_2_085D47D8
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D9858 0_2_085D9858
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D8A18 0_2_085D8A18
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D8A28 0_2_085D8A28
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085DDAB8 0_2_085DDAB8
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085DEC00 0_2_085DEC00
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D8C38 0_2_085D8C38
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D8C29 0_2_085D8C29
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085DDCD8 0_2_085DDCD8
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D3F0E 0_2_085D3F0E
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D7F38 0_2_085D7F38
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D7F28 0_2_085D7F28
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D8250 0_2_085D8250
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D8240 0_2_085D8240
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D3340 0_2_085D3340
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D3330 0_2_085D3330
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D5560 0_2_085D5560
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D85C0 0_2_085D85C0
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D85B3 0_2_085D85B3
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D97D6 0_2_085D97D6
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D47C9 0_2_085D47C9
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D87B0 0_2_085D87B0
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_085D87A0 0_2_085D87A0
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F2570 0_2_0E0F2570
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F05C0 0_2_0E0F05C0
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F0358 0_2_0E0F0358
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F2784 0_2_0E0F2784
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F2569 0_2_0E0F2569
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F05B5 0_2_0E0F05B5
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F0348 0_2_0E0F0348
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F0007 0_2_0E0F0007
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F0040 0_2_0E0F0040
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0551ED00 4_2_0551ED00
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_05514E70 4_2_05514E70
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0551E5D8 4_2_0551E5D8
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0551E5C8 4_2_0551E5C8
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0551F2B8 4_2_0551F2B8
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0551CC5A 4_2_0551CC5A
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0551ECF0 4_2_0551ECF0
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0551BE59 4_2_0551BE59
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0551BE68 4_2_0551BE68
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0551DAF8 4_2_0551DAF8
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_077647C9 4_2_077647C9
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07763F88 4_2_07763F88
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07765560 4_2_07765560
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0776D5D0 4_2_0776D5D0
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07762DA0 4_2_07762DA0
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0776FCF8 4_2_0776FCF8
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07767F38 4_2_07767F38
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07767F28 4_2_07767F28
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07763F03 4_2_07763F03
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_077687B0 4_2_077687B0
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_077687A0 4_2_077687A0
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_077685C0 4_2_077685C0
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_077685B3 4_2_077685B3
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07768C29 4_2_07768C29
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0776EC00 4_2_0776EC00
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07763330 4_2_07763330
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07768240 4_2_07768240
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07768A28 4_2_07768A28
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_07768A18 4_2_07768A18
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0776DAB8 4_2_0776DAB8
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0D3305B1 4_2_0D3305B1
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0D330358 4_2_0D330358
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0D330040 4_2_0D330040
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0D330348 4_2_0D330348
Sample file is different than original file name gathered from version info
Source: PO 059420.exe, 00000000.00000002.341458607.00000000082B0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameQuestKingdom.dllH vs PO 059420.exe
Source: PO 059420.exe, 00000000.00000002.324734583.0000000002FDE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs PO 059420.exe
Source: PO 059420.exe, 00000000.00000002.341543894.00000000084A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs PO 059420.exe
Source: PO 059420.exe, 00000000.00000002.328094627.0000000003F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameP2mI.exe> vs PO 059420.exe
Source: PO 059420.exe, 00000000.00000002.328094627.0000000003F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs PO 059420.exe
Source: PO 059420.exe, 00000000.00000002.328094627.0000000003F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameQuestKingdom.dllH vs PO 059420.exe
Source: PO 059420.exe, 00000003.00000002.324243547.00000000011B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameP2mI.exe> vs PO 059420.exe
Source: PO 059420.exe Binary or memory string: OriginalFilenameP2mI.exe> vs PO 059420.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Install\Host.exe 5F2A513BB02D1432E658AC0D65327D0ED56F6A4F1E014DE8E4FF50FCF738CA93
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exe 5F2A513BB02D1432E658AC0D65327D0ED56F6A4F1E014DE8E4FF50FCF738CA93
Source: PO 059420.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: pgzBzcEDZDX.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Host.exe.3.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PO 059420.exe ReversingLabs: Detection: 38%
Source: PO 059420.exe Virustotal: Detection: 32%
Source: C:\Users\user\Desktop\PO 059420.exe File read: C:\Users\user\Desktop\PO 059420.exe Jump to behavior
Source: PO 059420.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO 059420.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO 059420.exe C:\Users\user\Desktop\PO 059420.exe
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Users\user\Desktop\PO 059420.exe {path}
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Users\user\AppData\Roaming\Install\Host.exe "C:\Users\user\AppData\Roaming\Install\Host.exe"
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmp46B4.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process created: C:\Users\user\AppData\Roaming\Install\Host.exe {path}
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Users\user\Desktop\PO 059420.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Users\user\AppData\Roaming\Install\Host.exe "C:\Users\user\AppData\Roaming\Install\Host.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmp46B4.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process created: C:\Users\user\AppData\Roaming\Install\Host.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe File created: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exe Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe File created: C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@15/7@0/1
Source: C:\Users\user\Desktop\PO 059420.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: PO 059420.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PO 059420.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5188:120:WilError_01
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Mutant created: \Sessions\1\BaseNamedObjects\-
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Mutant created: \Sessions\1\BaseNamedObjects\czdggpDWYATzBvcsCf
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01
Source: PO 059420.exe, 00000000.00000003.305553675.0000000005DED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Segoe is a trademark of the Microsoft group of companies.slnt
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO 059420.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO 059420.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO 059420.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_07822C10 pushfd ; retf 0_2_07822C11
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_07821B08 pushfd ; ret 0_2_07821B09
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_07821A90 push eax; ret 0_2_07821A91
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F558D push FFFFFF8Bh; iretd 0_2_0E0F558F
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F1A23 push cs; ret 0_2_0E0F1A28
Source: C:\Users\user\Desktop\PO 059420.exe Code function: 0_2_0E0F1973 push cs; iretd 0_2_0E0F1974
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_05512C10 pushfd ; retf 4_2_05512C11
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_05511B08 pushfd ; ret 4_2_05511B09
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_05511A90 push eax; ret 4_2_05511A91
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Code function: 4_2_0D33557A push dword ptr [edx+ebp*2-75h]; iretd 4_2_0D335587
Source: initial sample Static PE information: section name: .text entropy: 7.8243407891344505
Source: initial sample Static PE information: section name: .text entropy: 7.8243407891344505
Source: initial sample Static PE information: section name: .text entropy: 7.8243407891344505
Drops PE files
Source: C:\Users\user\Desktop\PO 059420.exe File created: C:\Users\user\AppData\Roaming\Install\Host.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO 059420.exe File created: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PO 059420.exe PID: 4600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Host.exe PID: 5188, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PO 059420.exe, 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PO 059420.exe, 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO 059420.exe TID: 5312 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe TID: 1008 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO 059420.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: PO 059420.exe, 00000003.00000002.324243547.00000000011B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\PO 059420.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PO 059420.exe Memory written: C:\Users\user\Desktop\PO 059420.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Memory written: C:\Users\user\AppData\Roaming\Install\Host.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Users\user\Desktop\PO 059420.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Process created: C:\Users\user\AppData\Roaming\Install\Host.exe "C:\Users\user\AppData\Roaming\Install\Host.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmp46B4.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Process created: C:\Users\user\AppData\Roaming\Install\Host.exe {path} Jump to behavior
Source: Host.exe, 00000008.00000002.565089772.0000000000CF5000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Users\user\Desktop\PO 059420.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Queries volume information: C:\Users\user\AppData\Roaming\Install\Host.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Install\Host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO 059420.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Remote Access Functionality
barindex
Yara detected NetWire RAT
Source: Yara match File source: 0.2.PO 059420.exe.4037e10.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.PO 059420.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO 059420.exe.4037e10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.323599749.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.319873179.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.328094627.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO 059420.exe PID: 4600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PO 059420.exe PID: 1916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Host.exe PID: 5188, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 715096 Sample: PO 059420.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 11 other signatures 2->50 9 PO 059420.exe 6 2->9         started        process3 file4 34 C:\Users\user\AppData\...\pgzBzcEDZDX.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\tmpFCF6.tmp, XML 9->36 dropped 38 C:\Users\user\AppData\...\PO 059420.exe.log, ASCII 9->38 dropped 58 Injects a PE file into a foreign processes 9->58 13 PO 059420.exe 3 9->13         started        16 schtasks.exe 1 9->16         started        signatures5 process6 file7 40 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 13->40 dropped 18 Host.exe 5 13->18         started        21 conhost.exe 16->21         started        process8 signatures9 52 Multi AV Scanner detection for dropped file 18->52 54 Machine Learning detection for dropped file 18->54 56 Injects a PE file into a foreign processes 18->56 23 Host.exe 18->23         started        26 MpCmdRun.exe 1 18->26         started        28 schtasks.exe 1 18->28         started        process10 dnsIp11 42 37.0.14.206, 3384, 49705 WKD-ASIE Netherlands 23->42 30 conhost.exe 26->30         started        32 conhost.exe 28->32         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
37.0.14.206
 unknown Netherlands
198301 WKD-ASIE true

Contacted URLs

Name Malicious Antivirus Detection Reputation
37.0.14.206:3384 true
  • 15%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown