Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_7413.exe

Overview

General Information

Sample Name:PO_7413.exe
Analysis ID:830617
MD5:1b3b644b48693ffea0d42032e778906b
SHA1:2a26e739cae611522e94853194499765aa7ba30c
SHA256:79bcc176d961b06ff3f7af0000c16e8fae56cf03b504153e439ecbccfaa34bbf
Tags:agentteslaexe
Infos:

Detection

AgentTesla, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PO_7413.exe (PID: 3084 cmdline: C:\Users\user\Desktop\PO_7413.exe MD5: 1B3B644B48693FFEA0D42032E778906B)
    • PO_7413.exe (PID: 6100 cmdline: C:\Users\user\Desktop\PO_7413.exe MD5: 1B3B644B48693FFEA0D42032E778906B)
    • PO_7413.exe (PID: 4636 cmdline: C:\Users\user\Desktop\PO_7413.exe MD5: 1B3B644B48693FFEA0D42032E778906B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.printshopgt.com", "Username": "recepcion@printshopgt.com", "Password": "R3cGT17*"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: PO_7413.exe PID: 4636JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: PO_7413.exe PID: 4636JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PO_7413.exe.378e940.4.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
            0.2.PO_7413.exe.378e940.4.raw.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
            • 0x70b4b:$s1: file:///
            • 0x70a5b:$s2: {11111-22222-10009-11112}
            • 0x70adb:$s3: {11111-22222-50001-00000}
            • 0x700dd:$s4: get_Module
            • 0x70368:$s5: Reverse
            • 0x14b5c0:$s5: Reverse
            • 0x6e1f4:$s6: BlockCopy
            • 0x14cc43:$s6: BlockCopy
            • 0x14b766:$s7: ReadByte
            • 0x70b5d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.566.96.134.29496905872839723 03/20/23-14:47:40.789390
            SID:2839723
            Source Port:49690
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.566.96.134.29496905872851779 03/20/23-14:47:40.789531
            SID:2851779
            Source Port:49690
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.566.96.134.29496905872840032 03/20/23-14:47:40.789531
            SID:2840032
            Source Port:49690
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.566.96.134.29496905872030171 03/20/23-14:47:40.789390
            SID:2030171
            Source Port:49690
            Destination Port:587
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: PO_7413.exeReversingLabs: Detection: 30%
            Source: PO_7413.exeVirustotal: Detection: 40%Perma Link
            Machine Learning detection for sample
            Source: PO_7413.exeJoe Sandbox ML: detected
            Source: 2.2.PO_7413.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
            Source: 0.2.PO_7413.exe.378e940.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.printshopgt.com", "Username": "recepcion@printshopgt.com", "Password": "R3cGT17*"}
            Source: PO_7413.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: PO_7413.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: WXNg.pdbSHA256O source: PO_7413.exe
            Source: Binary string: WXNg.pdb source: PO_7413.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49690 -> 66.96.134.29:587
            Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49690 -> 66.96.134.29:587
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49690 -> 66.96.134.29:587
            Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49690 -> 66.96.134.29:587
            Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
            Source: global trafficTCP traffic: 192.168.2.5:49690 -> 66.96.134.29:587
            Source: global trafficTCP traffic: 192.168.2.5:49690 -> 66.96.134.29:587
            Source: PO_7413.exe, 00000000.00000003.309795226.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309639619.0000000005740000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309866819.0000000005743000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
            Source: PO_7413.exe, 00000000.00000003.306402390.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306465269.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306497370.0000000005742000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306380254.0000000005742000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306358175.0000000005743000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wu
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: PO_7413.exe, 00000002.00000002.573339941.00000000029D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.printshopgt.com
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313041787.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312856168.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: PO_7413.exe, 00000000.00000003.312919072.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313041787.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312856168.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comJl
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comand
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comen
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comms
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.compef
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comr
            Source: PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coms
            Source: PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314590924.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314060524.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com7
            Source: PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsF
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd%
            Source: PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdTTF
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314060524.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comeded
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlic
            Source: PO_7413.exe, 00000000.00000003.321613204.0000000005720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
            Source: PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: PO_7413.exe, 00000000.00000003.321613204.0000000005720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commK
            Source: PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiva7
            Source: PO_7413.exe, 00000000.00000003.309091289.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307673660.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307412713.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308652862.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308603977.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308204869.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308127982.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308409074.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307090748.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307291691.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308973363.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308162888.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309149145.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307957109.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308292309.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308917042.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308460070.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307145904.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308862175.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307814144.000000000575F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310155887.000000000572D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: PO_7413.exe, 00000000.00000003.310287732.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310370311.0000000005740000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310481524.0000000005743000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: PO_7413.exe, 00000000.00000003.309955974.0000000005723000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309839200.0000000005722000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cns
            Source: PO_7413.exe, 00000000.00000003.309795226.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309866819.0000000005743000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cntyp
            Source: PO_7413.exe, 00000000.00000003.314864766.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314864766.000000000573A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: PO_7413.exe, 00000000.00000003.314864766.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/g
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: PO_7413.exe, 00000000.00000003.314864766.000000000573A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/x
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/K
            Source: PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/T
            Source: PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/T
            Source: PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
            Source: PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/on
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/roso
            Source: PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
            Source: PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313437350.0000000005735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
            Source: PO_7413.exe, 00000000.00000003.314712938.000000000572A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: PO_7413.exe, 00000000.00000003.306497370.000000000573B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: PO_7413.exe, 00000000.00000003.313407677.0000000005728000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.coms
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309358449.0000000000B1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: PO_7413.exe, 00000000.00000003.310758013.000000000575F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: PO_7413.exe, 00000000.00000003.314488615.000000000572C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: unknownDNS traffic detected: queries for: mail.printshopgt.com

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.PO_7413.exe.378e940.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: PO_7413.exe
            Source: PO_7413.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.PO_7413.exe.378e940.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 0_2_00A9C1E4
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 0_2_00A9E620
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 0_2_00A9E630
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CEA958
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CEC918
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CE9D40
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CEA088
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CE5A02
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF0040
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CFBB90
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF5290
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF6660
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_0600B5E0
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06004BA4
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06000040
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06003AC7
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06003AD0
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06006BC0
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_06000030
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_0600E158
            Source: PO_7413.exe, 00000000.00000002.336165397.000000000364A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000000.304081466.00000000000F4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWXNg.exe, vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.352280355.00000000070D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.350412716.00000000056E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.336165397.00000000039CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee4ad9a59-b33d-4d55-a700-559a300ec7fa.exe4 vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.336165397.0000000003469000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.328662557.000000000249B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs PO_7413.exe
            Source: PO_7413.exe, 00000000.00000002.328662557.000000000249B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee4ad9a59-b33d-4d55-a700-559a300ec7fa.exe4 vs PO_7413.exe
            Source: PO_7413.exe, 00000002.00000002.570305709.0000000000CFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO_7413.exe
            Source: PO_7413.exe, 00000002.00000002.569046949.0000000000958000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO_7413.exe
            Source: PO_7413.exe, 00000002.00000002.568899826.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee4ad9a59-b33d-4d55-a700-559a300ec7fa.exe4 vs PO_7413.exe
            Source: PO_7413.exeBinary or memory string: OriginalFilenameWXNg.exe, vs PO_7413.exe
            Source: PO_7413.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: PO_7413.exeReversingLabs: Detection: 30%
            Source: PO_7413.exeVirustotal: Detection: 40%
            Source: PO_7413.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\PO_7413.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_7413.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@1/1
            Source: PO_7413.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\PO_7413.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\PO_7413.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\PO_7413.exeMutant created: \Sessions\1\BaseNamedObjects\ryXTJdrlWpWbGOmNsq
            Source: C:\Users\user\Desktop\PO_7413.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: PO_7413.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PO_7413.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: PO_7413.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: WXNg.pdbSHA256O source: PO_7413.exe
            Source: Binary string: WXNg.pdb source: PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF79AF push edi; iretd
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_05CF9EA0 pushfd ; ret
            Source: PO_7413.exeStatic PE information: 0xE7AB8A5F [Sun Mar 1 20:49:35 2093 UTC]
            Source: initial sampleStatic PE information: section name: .text entropy: 7.880495014103316
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 4692Thread sleep time: -40023s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 632Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 4924Thread sleep count: 4139 > 30
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -14757395258967632s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -100000s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99843s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99734s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99616s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99483s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99373s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99243s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -99111s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98938s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98779s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98641s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98500s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98390s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98281s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98171s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -98062s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -97953s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -97843s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exe TID: 1236Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\PO_7413.exeWindow / User API: threadDelayed 4139
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\PO_7413.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\PO_7413.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 40023
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 100000
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99843
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99734
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99616
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99483
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99373
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99243
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 99111
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98938
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98779
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98641
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98500
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98390
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98281
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98171
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 98062
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 97953
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 97843
            Source: C:\Users\user\Desktop\PO_7413.exeThread delayed: delay time: 922337203685477
            Source: PO_7413.exe, 00000002.00000002.570305709.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllro
            Source: C:\Users\user\Desktop\PO_7413.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\PO_7413.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\PO_7413.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\PO_7413.exeMemory written: C:\Users\user\Desktop\PO_7413.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeProcess created: C:\Users\user\Desktop\PO_7413.exe C:\Users\user\Desktop\PO_7413.exe
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Users\user\Desktop\PO_7413.exe VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Users\user\Desktop\PO_7413.exe VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\PO_7413.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\Desktop\PO_7413.exeCode function: 2_2_00CEF670 GetUserNameW,

            Stealing of Sensitive Information

            barindex
            Yara detected zgRAT
            Source: Yara matchFile source: 0.2.PO_7413.exe.378e940.4.raw.unpack, type: UNPACKEDPE
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PO_7413.exe PID: 4636, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Users\user\Desktop\PO_7413.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\user\Desktop\PO_7413.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: Yara matchFile source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PO_7413.exe PID: 4636, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected zgRAT
            Source: Yara matchFile source: 0.2.PO_7413.exe.378e940.4.raw.unpack, type: UNPACKEDPE
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PO_7413.exe PID: 4636, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		Path Interception111
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		111
            Security Software Discovery            		Remote Services1
            Email Collection            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		1
            Credentials in Registry            		1
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		Automated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer11
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets1
            Account Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common3
            Software Packing            		Cached Domain Credentials1
            System Owner/User Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Timestomp            		DCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem114
            System Information Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO_7413.exe31%ReversingLabsByteCode-MSIL.Trojan.Generic
            PO_7413.exe40%VirustotalBrowse
            PO_7413.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            2.2.PO_7413.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.carterandcone.comen0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.fontbureau.comalsF0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/roso0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/70%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.fontbureau.comB.TTF0%URL Reputationsafe
            http://www.founder.com.cn/cns0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/.0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/T0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.fontbureau.com70%URL Reputationsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.carterandcone.compef0%URL Reputationsafe
            http://www.fontbureau.comeded0%URL Reputationsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/T0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/K0%URL Reputationsafe
            http://www.carterandcone.comr0%URL Reputationsafe
            http://www.fontbureau.commK0%URL Reputationsafe
            http://www.fontbureau.comlic0%URL Reputationsafe
            http://www.carterandcone.coms0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.comd%0%Avira URL Cloudsafe
            http://www.sakkal.coms0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/x0%Avira URL Cloudsafe
            http://www.carterandcone.comms0%Avira URL Cloudsafe
            http://en.wu0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/g0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/on0%URL Reputationsafe
            http://en.wikip0%URL Reputationsafe
            http://www.fontbureau.comd0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
            http://www.fontbureau.comdTTF0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
            http://www.fontbureau.comlvfet0%URL Reputationsafe
            http://www.fontbureau.comm0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.comals0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/e0%URL Reputationsafe
            http://www.fontbureau.comsiva70%Avira URL Cloudsafe
            http://www.carterandcone.comand0%URL Reputationsafe
            http://mail.printshopgt.com0%Avira URL Cloudsafe
            http://www.founder.com.cn/cntyp0%Avira URL Cloudsafe
            http://www.carterandcone.comJl0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            mail.printshopgt.com
            		66.96.134.29
            		truetrue
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.fontbureau.com/designersGPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bThePO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.carterandcone.comenPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comd%PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.tiro.comPO_7413.exe, 00000000.00000003.310758013.000000000575F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.goodfont.co.krPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313041787.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312856168.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comalsFPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/rosoPO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cThePO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/7PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://fontfabrik.comPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.comsPO_7413.exe, 00000000.00000003.313407677.0000000005728000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comB.TTFPO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnsPO_7413.exe, 00000000.00000003.309955974.0000000005723000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309839200.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/xPO_7413.exe, 00000000.00000003.314864766.000000000573A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/.PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleasePO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/Y0PO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.commsPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://en.wuPO_7413.exe, 00000000.00000003.306402390.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306465269.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306497370.0000000005742000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306380254.0000000005742000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.306358175.0000000005743000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fonts.comPO_7413.exe, 00000000.00000003.309091289.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307673660.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307412713.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308652862.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308603977.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308204869.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308127982.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308409074.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307090748.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307291691.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308973363.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308162888.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309149145.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307957109.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308292309.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308917042.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308460070.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307145904.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.308862175.000000000575F000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.307814144.000000000575F000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.sandoll.co.krPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309358449.0000000000B1C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/TPO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleasePO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com7PO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.dePO_7413.exe, 00000000.00000003.314488615.000000000572C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comePO_7413.exe, 00000000.00000003.306497370.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.comPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/gPO_7413.exe, 00000000.00000003.314864766.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.carterandcone.compefPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0PO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comPO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314590924.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314060524.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comededPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313999190.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314060524.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/PO_7413.exe, 00000000.00000003.314864766.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314864766.000000000573A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comFPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/TPO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/KPO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comrPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.commKPO_7413.exe, 00000000.00000003.321613204.0000000005720000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comlicPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comsPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/onPO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://en.wikipPO_7413.exe, 00000000.00000003.309795226.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309639619.0000000005740000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309866819.0000000005743000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comdPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comsiva7PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/PO_7413.exe, 00000000.00000003.310287732.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310370311.0000000005740000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310481524.0000000005743000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://mail.printshopgt.comPO_7413.exe, 00000002.00000002.573339941.00000000029D9000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnPO_7413.exe, 00000000.00000002.350675185.0000000006932000.00000004.00000800.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.310155887.000000000572D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/xPO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313437350.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlPO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/sPO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comdTTFPO_7413.exe, 00000000.00000003.313872425.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.monotype.PO_7413.exe, 00000000.00000003.314712938.000000000572A000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/oPO_7413.exe, 00000000.00000003.313331989.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comlvfetPO_7413.exe, 00000000.00000003.321613204.0000000005720000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.commPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314250685.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314133005.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/PO_7413.exe, 00000000.00000003.312621841.0000000005736000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8PO_7413.exe, 00000000.00000002.350675185.0000000006A1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comalsPO_7413.exe, 00000000.00000003.314396930.0000000005735000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314488615.0000000005739000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.314315988.0000000005735000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/ePO_7413.exe, 00000000.00000003.313176984.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312826759.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312890011.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312706788.000000000573B000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312994530.000000000573B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comJlPO_7413.exe, 00000000.00000003.312919072.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.313041787.0000000005722000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.312856168.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.comandPO_7413.exe, 00000000.00000003.312009586.0000000005722000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cntypPO_7413.exe, 00000000.00000003.309795226.0000000005743000.00000004.00000020.00020000.00000000.sdmp, PO_7413.exe, 00000000.00000003.309866819.0000000005743000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  66.96.134.29
                                  		mail.printshopgt.comUnited States
                                  		29873BIZLAND-SDUStrue

                                  General Information

                                  Joe Sandbox Version:37.0.0 Beryl
                                  Analysis ID:830617
                                  Start date and time:2023-03-20 14:46:21 +01:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 8m 40s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:6
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample file name:PO_7413.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@5/1@1/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  14:47:25API Interceptor19x Sleep call for process: PO_7413.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_7413.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\PO_7413.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.355304211458859
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.8746286820631415
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:PO_7413.exe
                                  File size:921600
                                  MD5:1b3b644b48693ffea0d42032e778906b
                                  SHA1:2a26e739cae611522e94853194499765aa7ba30c
                                  SHA256:79bcc176d961b06ff3f7af0000c16e8fae56cf03b504153e439ecbccfaa34bbf
                                  SHA512:5889b4312b50de48da9e57d0eeba34ffe7f552f9213168e968987150752c353ddf9191b421ef89ec32249002d261f252eb34870320d1cc61b630e8f0102ccad7
                                  SSDEEP:24576:FKUX6CbNDSMEBscggDeSOrwBNKDAsJvZ:pXZbIXBxeS5BNKr7
                                  TLSH:4A1502246BEB8326F6365BBD91A12682577E27A37703D68D1CF112CA4727B014FD132B
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.................0..............%... ...@....@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x4e25aa
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0xE7AB8A5F [Sun Mar 1 20:49:35 2093 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe25580x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x58c.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xe035c0x70.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xe05b00xe0600False0.936121387534819PGP symmetric key encrypted data - Plaintext or unencrypted data7.880495014103316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xe40000x58c0x600False0.4173177083333333data4.044715606987517IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xe60000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0xe40900x2fcdata
                                  RT_MANIFEST0xe439c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  192.168.2.566.96.134.29496905872839723 03/20/23-14:47:40.789390TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49690587192.168.2.566.96.134.29
                                  192.168.2.566.96.134.29496905872851779 03/20/23-14:47:40.789531TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49690587192.168.2.566.96.134.29
                                  192.168.2.566.96.134.29496905872840032 03/20/23-14:47:40.789531TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249690587192.168.2.566.96.134.29
                                  192.168.2.566.96.134.29496905872030171 03/20/23-14:47:40.789390TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49690587192.168.2.566.96.134.29

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 20, 2023 14:47:38.902317047 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.007510900 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.007812023 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.114033937 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.119223118 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.224498987 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.224586964 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.225270033 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.330396891 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.330877066 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.331320047 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.436825037 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.438386917 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.438667059 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.544048071 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.546717882 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:39.546988964 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:39.652383089 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.681462049 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.681699991 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.787223101 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.787426949 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.789390087 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.789530993 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.789588928 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.789647102 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:47:40.894815922 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.894861937 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:40.896704912 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:47:41.036768913 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:49:19.270958900 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:49:19.376615047 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:49:19.377424002 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:49:19.377515078 CET5874969066.96.134.29192.168.2.5
                                  Mar 20, 2023 14:49:19.377933025 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:49:19.380515099 CET49690587192.168.2.566.96.134.29
                                  Mar 20, 2023 14:49:19.485925913 CET5874969066.96.134.29192.168.2.5

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 20, 2023 14:47:38.769144058 CET5821853192.168.2.58.8.8.8
                                  Mar 20, 2023 14:47:38.882294893 CET53582188.8.8.8192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Mar 20, 2023 14:47:38.769144058 CET192.168.2.58.8.8.80x699aStandard query (0)mail.printshopgt.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Mar 20, 2023 14:47:38.882294893 CET8.8.8.8192.168.2.50x699aNo error (0)mail.printshopgt.com66.96.134.29A (IP address)IN (0x0001)false

                                  SMTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  Mar 20, 2023 14:47:39.114033937 CET5874969066.96.134.29192.168.2.5220 ESMTP Mon, 20 Mar 2023 09:47:39 -0400: UCE strictly prohibited
                                  Mar 20, 2023 14:47:39.119223118 CET49690587192.168.2.566.96.134.29EHLO 367706
                                  Mar 20, 2023 14:47:39.224586964 CET5874969066.96.134.29192.168.2.5250-bosauthsmtp04.yourhostingaccount.com Hello 367706 [84.17.52.9]
                                  250-SIZE 34603008
                                  250-8BITMIME
                                  250-PIPELINING
                                  250-PIPE_CONNECT
                                  250-AUTH PLAIN LOGIN
                                  250-CHUNKING
                                  250-STARTTLS
                                  250 HELP
                                  Mar 20, 2023 14:47:39.225270033 CET49690587192.168.2.566.96.134.29AUTH login cmVjZXBjaW9uQHByaW50c2hvcGd0LmNvbQ==
                                  Mar 20, 2023 14:47:39.330877066 CET5874969066.96.134.29192.168.2.5334 UGFzc3dvcmQ6
                                  Mar 20, 2023 14:47:39.438386917 CET5874969066.96.134.29192.168.2.5235 Authentication succeeded
                                  Mar 20, 2023 14:47:39.438667059 CET49690587192.168.2.566.96.134.29MAIL FROM:<recepcion@printshopgt.com>
                                  Mar 20, 2023 14:47:39.546717882 CET5874969066.96.134.29192.168.2.5250 OK
                                  Mar 20, 2023 14:47:39.546988964 CET49690587192.168.2.566.96.134.29RCPT TO:<recepcion@printshopgt.com>
                                  Mar 20, 2023 14:47:40.681462049 CET5874969066.96.134.29192.168.2.5250 Accepted
                                  Mar 20, 2023 14:47:40.681699991 CET49690587192.168.2.566.96.134.29DATA
                                  Mar 20, 2023 14:47:40.787426949 CET5874969066.96.134.29192.168.2.5354 Enter message, ending with "." on a line by itself
                                  Mar 20, 2023 14:47:40.789647102 CET49690587192.168.2.566.96.134.29.
                                  Mar 20, 2023 14:47:40.896704912 CET5874969066.96.134.29192.168.2.5250 OK id=1peFrQ-00054x-Nh
                                  Mar 20, 2023 14:49:19.270958900 CET49690587192.168.2.566.96.134.29QUIT
                                  Mar 20, 2023 14:49:19.377424002 CET5874969066.96.134.29192.168.2.5221 bosauthsmtp04.yourhostingaccount.com closing connection

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:14:47:19
                                  Start date:20/03/2023
                                  Path:C:\Users\user\Desktop\PO_7413.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\PO_7413.exe
                                  Imagebase:0x10000
                                  File size:921600 bytes
                                  MD5 hash:1B3B644B48693FFEA0D42032E778906B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:low

                                  General

                                  Target ID:1
                                  Start time:14:47:27
                                  Start date:20/03/2023
                                  Path:C:\Users\user\Desktop\PO_7413.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Users\user\Desktop\PO_7413.exe
                                  Imagebase:0x80000
                                  File size:921600 bytes
                                  MD5 hash:1B3B644B48693FFEA0D42032E778906B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low

                                  General

                                  Target ID:2
                                  Start time:14:47:27
                                  Start date:20/03/2023
                                  Path:C:\Users\user\Desktop\PO_7413.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\PO_7413.exe
                                  Imagebase:0x4d0000
                                  File size:921600 bytes
                                  MD5 hash:1B3B644B48693FFEA0D42032E778906B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.573339941.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low

                                  Disassembly

                                  No disassembly