Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 059420.exe

Overview

General Information

Sample Name:PO 059420.exe
Analysis ID:715096
MD5:139deb18239c1db30775b256717b91a6
SHA1:3539a4b24d8f5b601d99a2239f5f18e17cd5fb04
SHA256:5f2a513bb02d1432e658ac0d65327d0ed56f6a4f1e014de8e4ff50fcf738ca93
Tags:exeJustClickAm-com
Infos:

Detection

NetWire
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected NetWire RAT
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PO 059420.exe (PID: 4600 cmdline: C:\Users\user\Desktop\PO 059420.exe MD5: 139DEB18239C1DB30775B256717B91A6)
    • schtasks.exe (PID: 6136 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO 059420.exe (PID: 1916 cmdline: {path} MD5: 139DEB18239C1DB30775B256717B91A6)
      • Host.exe (PID: 5188 cmdline: "C:\Users\user\AppData\Roaming\Install\Host.exe" MD5: 139DEB18239C1DB30775B256717B91A6)
        • schtasks.exe (PID: 4756 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmp46B4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
          • conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • Host.exe (PID: 4140 cmdline: {path} MD5: 139DEB18239C1DB30775B256717B91A6)
        • MpCmdRun.exe (PID: 4756 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
          • conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NetWire

{"C2 list": ["37.0.14.206:3384"], "Password": "Password234", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.323599749.000000000041B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
    00000003.00000002.323643134.0000000000423000.00000040.00000400.00020000.00000000.sdmpnetwiredetect netwire in memoryJPCERT/CC Incident Response Group
    • 0x3cc:$v1: HostId-%Rand%
    00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
      00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
        00000003.00000000.319873179.000000000041B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
          Click to see the 11 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PO 059420.exe.4037e10.2.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
            3.0.PO 059420.exe.400000.0.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security
              0.2.PO 059420.exe.4037e10.2.raw.unpackJoeSecurity_NetWire_1Yara detected NetWire RATJoe Security

                Sigma Signatures

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\PO 059420.exe, ParentImage: C:\Users\user\Desktop\PO 059420.exe, ParentProcessId: 4600, ParentProcessName: PO 059420.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp, ProcessId: 6136, ProcessName: schtasks.exe

                Snort Signatures

                Timestamp:37.0.14.206192.168.2.53384497052837546 10/03/22-16:17:34.145888
                SID:2837546
                Source Port:3384
                Destination Port:49705
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: PO 059420.exeReversingLabs: Detection: 38%
                Source: PO 059420.exeVirustotal: Detection: 32%Perma Link
                Antivirus detection for URL or domain
                Source: 37.0.14.206:3384Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: 37.0.14.206:3384Virustotal: Detection: 14%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeReversingLabs: Detection: 38%
                Source: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exeReversingLabs: Detection: 38%
                Machine Learning detection for sample
                Source: PO 059420.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeJoe Sandbox ML: detected
                Source: 0.2.PO 059420.exe.4037e10.2.raw.unpackMalware Configuration Extractor: NetWire {"C2 list": ["37.0.14.206:3384"], "Password": "Password234", "Host ID": "HostId-%Rand%", "Mutex": "-", "Install Path": "-", "Startup Name": "-", "ActiveX Key": "-"}
                Source: PO 059420.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: PO 059420.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2837546 ETPRO TROJAN Netwire RAT Check-in 37.0.14.206:3384 -> 192.168.2.5:49705
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 37.0.14.206:3384
                Source: Joe Sandbox ViewASN Name: WKD-ASIE WKD-ASIE
                Source: Joe Sandbox ViewIP Address: 37.0.14.206 37.0.14.206
                Source: global trafficTCP traffic: 192.168.2.5:49705 -> 37.0.14.206:3384
                Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.206
                Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.206
                Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.206
                Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.206
                Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.206
                Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.206
                Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.206
                Source: unknownTCP traffic detected without corresponding DNS query: 37.0.14.206
                Source: PO 059420.exe, 00000000.00000003.300372827.0000000005DE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: PO 059420.exe, 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: PO 059420.exe, 00000000.00000003.308588551.0000000005DE3000.00000004.00000800.00020000.00000000.sdmp, PO 059420.exe, 00000000.00000003.320972707.0000000005DE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: PO 059420.exe, 00000000.00000003.308588551.0000000005DE3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceta
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp, PO 059420.exe, 00000000.00000003.303542763.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, PO 059420.exe, 00000000.00000003.303559818.0000000005DE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: PO 059420.exe, 00000000.00000003.303542763.0000000005DEB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/4
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: PO 059420.exe, 00000000.00000003.306696235.0000000005DF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: PO 059420.exe, 00000000.00000003.301319980.0000000005DFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comg
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000003.00000002.323643134.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
                Source: 00000008.00000002.564992152.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
                Source: Process Memory Space: PO 059420.exe PID: 1916, type: MEMORYSTRMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
                Source: Process Memory Space: Host.exe PID: 4140, type: MEMORYSTRMatched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
                Source: PO 059420.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 00000003.00000002.323643134.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
                Source: 00000008.00000002.564992152.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
                Source: Process Memory Space: PO 059420.exe PID: 4600, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
                Source: Process Memory Space: PO 059420.exe PID: 1916, type: MEMORYSTRMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
                Source: Process Memory Space: Host.exe PID: 5188, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
                Source: Process Memory Space: Host.exe PID: 4140, type: MEMORYSTRMatched rule: netwire author = JPCERT/CC Incident Response Group, description = detect netwire in memory, rule_usage = memory scan, reference = internal research
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0133D7F4
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0133E1E0
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0133E1DE
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0133B974
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0133FC51
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_07824E70
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782ED88
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_07828B80
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782D710
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_078255D8
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_07827558
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782E5C8
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782E5D8
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782ED78
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782CCE0
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782F341
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782F350
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782BE5B
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0782BE68
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085DFCF8
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D2D00
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D3F88
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D5570
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085DD5D0
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D47D8
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D9858
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D8A18
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D8A28
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085DDAB8
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085DEC00
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D8C38
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D8C29
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085DDCD8
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D3F0E
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D7F38
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D7F28
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D8250
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D8240
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D3340
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D3330
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D5560
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D85C0
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D85B3
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D97D6
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D47C9
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D87B0
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_085D87A0
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F2570
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F05C0
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F0358
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F2784
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F2569
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F05B5
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F0348
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F0007
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F0040
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0551ED00
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_05514E70
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0551E5D8
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0551E5C8
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0551F2B8
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0551CC5A
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0551ECF0
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0551BE59
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0551BE68
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0551DAF8
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_077647C9
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07763F88
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07765560
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0776D5D0
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07762DA0
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0776FCF8
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07767F38
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07767F28
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07763F03
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_077687B0
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_077687A0
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_077685C0
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_077685B3
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07768C29
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0776EC00
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07763330
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07768240
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07768A28
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_07768A18
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0776DAB8
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0D3305B1
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0D330358
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0D330040
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0D330348
                Source: PO 059420.exe, 00000000.00000002.341458607.00000000082B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameQuestKingdom.dllH vs PO 059420.exe
                Source: PO 059420.exe, 00000000.00000002.324734583.0000000002FDE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO 059420.exe
                Source: PO 059420.exe, 00000000.00000002.341543894.00000000084A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO 059420.exe
                Source: PO 059420.exe, 00000000.00000002.328094627.0000000003F99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameP2mI.exe> vs PO 059420.exe
                Source: PO 059420.exe, 00000000.00000002.328094627.0000000003F99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO 059420.exe
                Source: PO 059420.exe, 00000000.00000002.328094627.0000000003F99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQuestKingdom.dllH vs PO 059420.exe
                Source: PO 059420.exe, 00000003.00000002.324243547.00000000011B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameP2mI.exe> vs PO 059420.exe
                Source: PO 059420.exeBinary or memory string: OriginalFilenameP2mI.exe> vs PO 059420.exe
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Install\Host.exe 5F2A513BB02D1432E658AC0D65327D0ED56F6A4F1E014DE8E4FF50FCF738CA93
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exe 5F2A513BB02D1432E658AC0D65327D0ED56F6A4F1E014DE8E4FF50FCF738CA93
                Source: PO 059420.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: pgzBzcEDZDX.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Host.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO 059420.exeReversingLabs: Detection: 38%
                Source: PO 059420.exeVirustotal: Detection: 32%
                Source: C:\Users\user\Desktop\PO 059420.exeFile read: C:\Users\user\Desktop\PO 059420.exeJump to behavior
                Source: PO 059420.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PO 059420.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\PO 059420.exe C:\Users\user\Desktop\PO 059420.exe
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Users\user\Desktop\PO 059420.exe {path}
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe "C:\Users\user\AppData\Roaming\Install\Host.exe"
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmp46B4.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe {path}
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Users\user\Desktop\PO 059420.exe {path}
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe "C:\Users\user\AppData\Roaming\Install\Host.exe"
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmp46B4.tmp
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe {path}
                Source: C:\Users\user\Desktop\PO 059420.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                Source: C:\Users\user\Desktop\PO 059420.exeFile created: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exeJump to behavior
                Source: C:\Users\user\Desktop\PO 059420.exeFile created: C:\Users\user\AppData\Local\Temp\tmpFCF6.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.evad.winEXE@15/7@0/1
                Source: C:\Users\user\Desktop\PO 059420.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: PO 059420.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\PO 059420.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5188:120:WilError_01
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeMutant created: \Sessions\1\BaseNamedObjects\-
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeMutant created: \Sessions\1\BaseNamedObjects\czdggpDWYATzBvcsCf
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01
                Source: PO 059420.exe, 00000000.00000003.305553675.0000000005DED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Segoe is a trademark of the Microsoft group of companies.slnt
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\PO 059420.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: PO 059420.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PO 059420.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_07822C10 pushfd ; retf
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_07821B08 pushfd ; ret
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_07821A90 push eax; ret
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F558D push FFFFFF8Bh; iretd
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F1A23 push cs; ret
                Source: C:\Users\user\Desktop\PO 059420.exeCode function: 0_2_0E0F1973 push cs; iretd
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_05512C10 pushfd ; retf
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_05511B08 pushfd ; ret
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_05511A90 push eax; ret
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeCode function: 4_2_0D33557A push dword ptr [edx+ebp*2-75h]; iretd
                Source: initial sampleStatic PE information: section name: .text entropy: 7.8243407891344505
                Source: initial sampleStatic PE information: section name: .text entropy: 7.8243407891344505
                Source: initial sampleStatic PE information: section name: .text entropy: 7.8243407891344505
                Source: C:\Users\user\Desktop\PO 059420.exeFile created: C:\Users\user\AppData\Roaming\Install\Host.exeJump to dropped file
                Source: C:\Users\user\Desktop\PO 059420.exeFile created: C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PO 059420.exe PID: 4600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Host.exe PID: 5188, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: PO 059420.exe, 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: PO 059420.exe, 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\PO 059420.exe TID: 5312Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\Install\Host.exe TID: 1008Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\PO 059420.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\PO 059420.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\PO 059420.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeThread delayed: delay time: 922337203685477
                Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: PO 059420.exe, 00000003.00000002.324243547.00000000011B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\PO 059420.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\PO 059420.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\PO 059420.exeMemory written: C:\Users\user\Desktop\PO 059420.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeMemory written: C:\Users\user\AppData\Roaming\Install\Host.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Users\user\Desktop\PO 059420.exe {path}
                Source: C:\Users\user\Desktop\PO 059420.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe "C:\Users\user\AppData\Roaming\Install\Host.exe"
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmp46B4.tmp
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeProcess created: C:\Users\user\AppData\Roaming\Install\Host.exe {path}
                Source: Host.exe, 00000008.00000002.565089772.0000000000CF5000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Users\user\Desktop\PO 059420.exe VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeQueries volume information: C:\Users\user\AppData\Roaming\Install\Host.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\Install\Host.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO 059420.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Remote Access Functionality

                barindex
                Yara detected NetWire RAT
                Source: Yara matchFile source: 0.2.PO 059420.exe.4037e10.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.PO 059420.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO 059420.exe.4037e10.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.323599749.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000000.319873179.000000000041B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.328094627.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO 059420.exe PID: 4600, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: PO 059420.exe PID: 1916, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: Host.exe PID: 5188, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		112
                Process Injection                		1
                Masquerading                		OS Credential Dumping21
                Security Software Discovery                		Remote Services1
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                Non-Standard Port                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                Virtualization/Sandbox Evasion                		Security Account Manager21
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
                Process Injection                		NTDS1
                File and Directory Discovery                		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA Secrets12
                System Information Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Software Packing                		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 715096 Sample: PO 059420.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 11 other signatures 2->50 9 PO 059420.exe 6 2->9         started        process3 file4 34 C:\Users\user\AppData\...\pgzBzcEDZDX.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\tmpFCF6.tmp, XML 9->36 dropped 38 C:\Users\user\AppData\...\PO 059420.exe.log, ASCII 9->38 dropped 58 Injects a PE file into a foreign processes 9->58 13 PO 059420.exe 3 9->13         started        16 schtasks.exe 1 9->16         started        signatures5 process6 file7 40 C:\Users\user\AppData\Roaming\...\Host.exe, PE32 13->40 dropped 18 Host.exe 5 13->18         started        21 conhost.exe 16->21         started        process8 signatures9 52 Multi AV Scanner detection for dropped file 18->52 54 Machine Learning detection for dropped file 18->54 56 Injects a PE file into a foreign processes 18->56 23 Host.exe 18->23         started        26 MpCmdRun.exe 1 18->26         started        28 schtasks.exe 1 18->28         started        process10 dnsIp11 42 37.0.14.206, 3384, 49705 WKD-ASIE Netherlands 23->42 30 conhost.exe 26->30         started        32 conhost.exe 28->32         started        process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO 059420.exe38%ReversingLabsByteCode-MSIL.Backdoor.NetWiredRc
                PO 059420.exe32%VirustotalBrowse
                PO 059420.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Install\Host.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Install\Host.exe38%ReversingLabsByteCode-MSIL.Backdoor.NetWiredRc
                C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exe38%ReversingLabsByteCode-MSIL.Backdoor.NetWiredRc

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                3.0.PO 059420.exe.400000.0.unpack100%AviraHEUR/AGEN.1250673Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.fontbureau.comceta0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.fontbureau.coma0%URL Reputationsafe
                http://en.w0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.monotype.0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                37.0.14.206:338415%VirustotalBrowse
                37.0.14.206:3384100%Avira URL Cloudmalware
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.tiro.comg0%Avira URL Cloudsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://www.founder.com.cn/cn/40%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/41%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                37.0.14.206:3384true
                • 15%, Virustotal, Browse
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.apache.org/licenses/LICENSE-2.0PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThePO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.tiro.comPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comcetaPO 059420.exe, 00000000.00000003.308588551.0000000005DE3000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comaPO 059420.exe, 00000000.00000003.308588551.0000000005DE3000.00000004.00000800.00020000.00000000.sdmp, PO 059420.exe, 00000000.00000003.320972707.0000000005DE0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://en.wPO 059420.exe, 00000000.00000003.300372827.0000000005DE9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cThePO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp, PO 059420.exe, 00000000.00000003.303542763.0000000005DEB000.00000004.00000800.00020000.00000000.sdmp, PO 059420.exe, 00000000.00000003.303559818.0000000005DE5000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.monotype.PO 059420.exe, 00000000.00000003.306696235.0000000005DF9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasePO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8PO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fonts.comPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comgPO 059420.exe, 00000000.00000003.301319980.0000000005DFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.urwpp.deDPleasePO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO 059420.exe, 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Host.exe, 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/4PO 059420.exe, 00000000.00000003.303542763.0000000005DEB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sakkal.comPO 059420.exe, 00000000.00000002.339274070.0000000006FF2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      37.0.14.206
                                      		unknownNetherlands
                                      		198301WKD-ASIEtrue

                                      General Information

                                      Joe Sandbox Version:36.0.0 Rainbow Opal
                                      Analysis ID:715096
                                      Start date and time:2022-10-03 16:16:09 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 8m 24s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:PO 059420.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:21
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@15/7@0/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 89%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                      • Excluded domains from analysis (whitelisted): login.live.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      16:17:10API Interceptor1x Sleep call for process: PO 059420.exe modified
                                      16:17:25API Interceptor1x Sleep call for process: Host.exe modified
                                      16:17:59API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Host.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\Install\Host.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.355304211458859
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 059420.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\PO 059420.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.355304211458859
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                      Malicious:true
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                      C:\Users\user\AppData\Local\Temp\tmp46B4.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\Install\Host.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1648
                                      Entropy (8bit):5.18220300174711
                                      Encrypted:false
                                      SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB15Utn:cbhC7ZlNQF/rydbz9I3YODOLNdq3f5S
                                      MD5:E1874C0A9C2B1DDAB8202382FC80BCF5
                                      SHA1:33D83EB67CFBD22D86041D6C9518FCEDBB11B47E
                                      SHA-256:0E8924A5E0A52533F1154C4B62EF6AAC85DCDF02AE905DDB99A3AE4B5FB1CAF3
                                      SHA-512:5C0A229DDDB86190A226189BB0398159BD561ACAD32143077D91328B1BF5D40CCC205313A5A7790BA330E8E088C28954E55A5B2263C371E016F6FF497B01390F
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                      C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\PO 059420.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1648
                                      Entropy (8bit):5.18220300174711
                                      Encrypted:false
                                      SSDEEP:24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB15Utn:cbhC7ZlNQF/rydbz9I3YODOLNdq3f5S
                                      MD5:E1874C0A9C2B1DDAB8202382FC80BCF5
                                      SHA1:33D83EB67CFBD22D86041D6C9518FCEDBB11B47E
                                      SHA-256:0E8924A5E0A52533F1154C4B62EF6AAC85DCDF02AE905DDB99A3AE4B5FB1CAF3
                                      SHA-512:5C0A229DDDB86190A226189BB0398159BD561ACAD32143077D91328B1BF5D40CCC205313A5A7790BA330E8E088C28954E55A5B2263C371E016F6FF497B01390F
                                      Malicious:true
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>t

                                      C:\Users\user\AppData\Roaming\Install\Host.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\PO 059420.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):540160
                                      Entropy (8bit):7.814158275127434
                                      Encrypted:false
                                      SSDEEP:12288:wucnf2iNF7xankO5z2Z3hTH5IPudSGATPjeDc4pDp4ClYdRU:wRf1f79Oh2Z35H2GdMPjucopjn
                                      MD5:139DEB18239C1DB30775B256717B91A6
                                      SHA1:3539A4B24D8F5B601D99A2239F5F18E17CD5FB04
                                      SHA-256:5F2A513BB02D1432E658AC0D65327D0ED56F6A4F1E014DE8E4FF50FCF738CA93
                                      SHA-512:7E27E7D7EA24795EC51C2EEA762F4DCB4DBAD04ACE4965B78B16609152E3C346FFA4D6B231A9DED9F4DD2ECA7493E54B5D1CAB82E0A6A4C56A3A07B44F64BBF7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 38%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....V:c.............................=... ...@....@.. ....................................@..................................=..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......<..............@..B.................=......H............`..............@...........................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s..

                                      C:\Users\user\AppData\Roaming\pgzBzcEDZDX.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\PO 059420.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):540160
                                      Entropy (8bit):7.814158275127434
                                      Encrypted:false
                                      SSDEEP:12288:wucnf2iNF7xankO5z2Z3hTH5IPudSGATPjeDc4pDp4ClYdRU:wRf1f79Oh2Z35H2GdMPjucopjn
                                      MD5:139DEB18239C1DB30775B256717B91A6
                                      SHA1:3539A4B24D8F5B601D99A2239F5F18E17CD5FB04
                                      SHA-256:5F2A513BB02D1432E658AC0D65327D0ED56F6A4F1E014DE8E4FF50FCF738CA93
                                      SHA-512:7E27E7D7EA24795EC51C2EEA762F4DCB4DBAD04ACE4965B78B16609152E3C346FFA4D6B231A9DED9F4DD2ECA7493E54B5D1CAB82E0A6A4C56A3A07B44F64BBF7
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 38%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....V:c.............................=... ...@....@.. ....................................@..................................=..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......<..............@..B.................=......H............`..............@...........................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s..

                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                      Download File
                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):8156
                                      Entropy (8bit):3.16808430889348
                                      Encrypted:false
                                      SSDEEP:96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTEE+Ab5Elh+AbCr:cY+38+DJc+iGr+MZ+65+6tg+ECf+YI+z
                                      MD5:233C244CA1ADF553703A5ABEDF7780DF
                                      SHA1:54D61862A33B795713F2AA043FCDE6BCC006FA06
                                      SHA-256:E93DC02FEBD6E494013036348219A23B429068228119EACAD830B6DD7438CE07
                                      SHA-512:958F06BDC4B46950BFAAC2E94F5FDFBD2FAA354D3195D9C5B5D6DBA8428F9163F95C7B69BB00BFBBAC7DE997234EB169D5F0E8A66BB4A5A37EF7B8F184F0186F
                                      Malicious:false
                                      Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.814158275127434
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:PO 059420.exe
                                      File size:540160
                                      MD5:139deb18239c1db30775b256717b91a6
                                      SHA1:3539a4b24d8f5b601d99a2239f5f18e17cd5fb04
                                      SHA256:5f2a513bb02d1432e658ac0d65327d0ed56f6a4f1e014de8e4ff50fcf738ca93
                                      SHA512:7e27e7d7ea24795ec51c2eea762f4dcb4dbad04ace4965b78b16609152e3c346ffa4d6b231a9ded9f4dd2eca7493e54b5d1cab82e0a6a4c56a3a07b44f64bbf7
                                      SSDEEP:12288:wucnf2iNF7xankO5z2Z3hTH5IPudSGATPjeDc4pDp4ClYdRU:wRf1f79Oh2Z35H2GdMPjucopjn
                                      TLSH:E9B4E0FC532C7FBBD27E10B91416D04802FD851A2260F685BCF6A5D7A1C3BD54B329AA
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....V:c.............................=... ...@....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:4099d9c2ce989902

                                      Static PE Info

                                      General

                                      Entrypoint:0x483de2
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x633A56C8 [Mon Oct 3 03:28:08 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x83d880x57.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x1ae0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x81de80x81e00False0.8779456659047161data7.8243407891344505IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x840000x1ae00x1c00False0.8017578125data7.233952869050084IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x860000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x841300x1354PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                      RT_GROUP_ICON0x854840x14data
                                      RT_VERSION0x854980x360data
                                      RT_MANIFEST0x857f80x2e8XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (741), with no line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Snort IDS Alerts

                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                      37.0.14.206192.168.2.53384497052837546 10/03/22-16:17:34.145888TCP2837546ETPRO TROJAN Netwire RAT Check-in33844970537.0.14.206192.168.2.5

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 3, 2022 16:17:30.652000904 CEST497053384192.168.2.537.0.14.206
                                      Oct 3, 2022 16:17:33.779834986 CEST497053384192.168.2.537.0.14.206
                                      Oct 3, 2022 16:17:33.965631008 CEST33844970537.0.14.206192.168.2.5
                                      Oct 3, 2022 16:17:33.965816975 CEST497053384192.168.2.537.0.14.206
                                      Oct 3, 2022 16:17:33.966686010 CEST497053384192.168.2.537.0.14.206
                                      Oct 3, 2022 16:17:34.145888090 CEST33844970537.0.14.206192.168.2.5
                                      Oct 3, 2022 16:17:34.152542114 CEST497053384192.168.2.537.0.14.206
                                      Oct 3, 2022 16:17:34.387824059 CEST33844970537.0.14.206192.168.2.5
                                      Oct 3, 2022 16:18:32.637304068 CEST33844970537.0.14.206192.168.2.5
                                      Oct 3, 2022 16:18:32.640719891 CEST497053384192.168.2.537.0.14.206
                                      Oct 3, 2022 16:18:33.113528967 CEST33844970537.0.14.206192.168.2.5
                                      Oct 3, 2022 16:18:33.113604069 CEST497053384192.168.2.537.0.14.206
                                      Oct 3, 2022 16:18:33.144264936 CEST497053384192.168.2.537.0.14.206
                                      Oct 3, 2022 16:18:33.375653028 CEST33844970537.0.14.206192.168.2.5

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:16:17:03
                                      Start date:03/10/2022
                                      Path:C:\Users\user\Desktop\PO 059420.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\PO 059420.exe
                                      Imagebase:0xaf0000
                                      File size:540160 bytes
                                      MD5 hash:139DEB18239C1DB30775B256717B91A6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000002.324385254.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000000.00000002.328094627.0000000003F99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:1
                                      Start time:16:17:13
                                      Start date:03/10/2022
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmpFCF6.tmp
                                      Imagebase:0x340000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:2
                                      Start time:16:17:13
                                      Start date:03/10/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7fcd70000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:3
                                      Start time:16:17:14
                                      Start date:03/10/2022
                                      Path:C:\Users\user\Desktop\PO 059420.exe
                                      Wow64 process (32bit):true
                                      Commandline:{path}
                                      Imagebase:0xa30000
                                      File size:540160 bytes
                                      MD5 hash:139DEB18239C1DB30775B256717B91A6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000003.00000002.323599749.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: netwire, Description: detect netwire in memory, Source: 00000003.00000002.323643134.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000003.00000000.319873179.000000000041B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low

                                      General

                                      Target ID:4
                                      Start time:16:17:15
                                      Start date:03/10/2022
                                      Path:C:\Users\user\AppData\Roaming\Install\Host.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\Install\Host.exe"
                                      Imagebase:0x190000
                                      File size:540160 bytes
                                      MD5 hash:139DEB18239C1DB30775B256717B91A6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_NetWire_1, Description: Yara detected NetWire RAT, Source: 00000004.00000002.355950894.0000000002511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 38%, ReversingLabs
                                      Reputation:low

                                      General

                                      Target ID:6
                                      Start time:16:17:28
                                      Start date:03/10/2022
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pgzBzcEDZDX" /XML "C:\Users\user\AppData\Local\Temp\tmp46B4.tmp
                                      Imagebase:0x340000
                                      File size:185856 bytes
                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:7
                                      Start time:16:17:29
                                      Start date:03/10/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7fcd70000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      General

                                      Target ID:8
                                      Start time:16:17:29
                                      Start date:03/10/2022
                                      Path:C:\Users\user\AppData\Roaming\Install\Host.exe
                                      Wow64 process (32bit):true
                                      Commandline:{path}
                                      Imagebase:0x830000
                                      File size:540160 bytes
                                      MD5 hash:139DEB18239C1DB30775B256717B91A6
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: netwire, Description: detect netwire in memory, Source: 00000008.00000002.564992152.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      General

                                      Target ID:13
                                      Start time:16:17:59
                                      Start date:03/10/2022
                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                      Imagebase:0x7ff7482b0000
                                      File size:455656 bytes
                                      MD5 hash:A267555174BFA53844371226F482B86B
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      General

                                      Target ID:14
                                      Start time:16:17:59
                                      Start date:03/10/2022
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7fcd70000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language

                                      Disassembly

                                      No disassembly