Create Interactive Tour

Windows Analysis Report
po.exe

Overview

General Information

Sample Name:po.exe
Analysis ID:764543
MD5:1366f09969c727410c578b1cbbc3d7bb
SHA1:b3ff3299abc99595b9cce72d3caa8f680f03980e
SHA256:0f371fd55d2f262b3e904d6249299f9b259b37e7f1d6b972c65d258390fe198e
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
One or more processes crash
Checks if the current process is being debugged

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • po.exe (PID: 1116 cmdline: C:\Users\user\Desktop\po.exe MD5: 1366F09969C727410C578B1CBBC3D7BB)
    • WerFault.exe (PID: 5128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1192 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: po.exeReversingLabs: Detection: 73%
Source: po.exeVirustotal: Detection: 52%Perma Link
Source: po.exeJoe Sandbox ML: detected
Source: po.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: po.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Xml.pdbAccessibility.dll source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Core.ni.pdbRSDSD source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Xml.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: iC:\Users\user\Desktop\SluOVhP.pdb source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb' source: WER694D.tmp.dmp.2.dr
Source: Binary string: .pdb0 source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.ni.pdbRSDS source: WER694D.tmp.dmp.2.dr
Source: Binary string: i0C:\Windows\SluOVhP.pdb source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER694D.tmp.dmp.2.dr
Source: Binary string: SluOVhP.pdb source: po.exe, WER694D.tmp.dmp.2.dr
Source: Binary string: System.Configuration.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: iHC:\Users\user\Desktop\SluOVhP.pdb6Z source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\SluOVhP.pdb source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: C:\Users\user\Desktop\po.PDB\ source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: po.PDB/ source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: c.pdbisS source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: SluOVhP.pdbluOVhP.pdbpdbVhP.pdb53321935-2125563209-4053062332-1002/ source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: SluOVhP.pdbSHA2564 source: po.exe, WER694D.tmp.dmp.2.dr
Source: Binary string: System.Drawing.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: mscorlib.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Core.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Drawing.pdb$, source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Windows.Forms.pdbu source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Xml.ni.pdbRSDS source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER694D.tmp.dmp.2.dr
Source: po.exe, 00000000.00000003.240816738.00000000019BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241803871.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241730213.00000000061FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000000.267003380.00000000061E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.248623484.00000000061ED000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.248360260.00000000061E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.248623484.00000000061ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: po.exe, 00000000.00000000.267003380.00000000061E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comion2
Source: po.exe, 00000000.00000003.241310425.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241351924.00000000061FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: po.exe, 00000000.00000003.241413362.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241351924.00000000061FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comF
Source: po.exe, 00000000.00000003.241413362.00000000061FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comic
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.244624481.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.244825933.00000000061E9000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.244880056.00000000061EB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.244591367.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: po.exe, 00000000.00000003.244819081.00000000061E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: po.exe, 00000000.00000003.244591367.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cne-d
Source: po.exe, 00000000.00000003.244591367.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnk-s
Source: po.exe, 00000000.00000003.244591367.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&:
Source: po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.:
Source: po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Curs
Source: po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Kal1
Source: po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: po.exe, 00000000.00000003.241435364.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241147125.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241200145.0000000006202000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241115693.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241166786.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241396248.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241472437.0000000006202000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241325027.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241363800.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241277174.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241073753.00000000061FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: po.exe, 00000000.00000003.241435364.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241200145.0000000006202000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241115693.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241472437.0000000006202000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241325027.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241073753.00000000061FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: po.exe, 00000000.00000003.243229870.00000000061E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: po.exe, 00000000.00000003.243229870.00000000061E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krtio
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241803871.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241730213.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241833835.00000000061FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: po.exe, 00000000.00000003.241803871.00000000061FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comH
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: po.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: po.exe, 00000000.00000000.237383644.0000000000F68000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSluOVhP.exeB vs po.exe
Source: po.exe, 00000000.00000000.264371035.00000000032F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs po.exe
Source: po.exeBinary or memory string: OriginalFilenameSluOVhP.exeB vs po.exe
Source: C:\Users\user\Desktop\po.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1192
Source: po.exeReversingLabs: Detection: 73%
Source: po.exeVirustotal: Detection: 52%
Source: C:\Users\user\Desktop\po.exeFile read: C:\Users\user\Desktop\po.exeJump to behavior
Source: po.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\po.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: po.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\po.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\po.exe C:\Users\user\Desktop\po.exe
Source: C:\Users\user\Desktop\po.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1192
Source: C:\Users\user\Desktop\po.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1116
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER694D.tmpJump to behavior
Source: classification engineClassification label: mal52.winEXE@2/4@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\po.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: po.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: po.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: po.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: System.Xml.pdbAccessibility.dll source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Core.ni.pdbRSDSD source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Xml.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: iC:\Users\user\Desktop\SluOVhP.pdb source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb' source: WER694D.tmp.dmp.2.dr
Source: Binary string: .pdb0 source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.ni.pdbRSDS source: WER694D.tmp.dmp.2.dr
Source: Binary string: i0C:\Windows\SluOVhP.pdb source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER694D.tmp.dmp.2.dr
Source: Binary string: SluOVhP.pdb source: po.exe, WER694D.tmp.dmp.2.dr
Source: Binary string: System.Configuration.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: iHC:\Users\user\Desktop\SluOVhP.pdb6Z source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: symbols\exe\SluOVhP.pdb source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: C:\Users\user\Desktop\po.PDB\ source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Core.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: po.PDB/ source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: c.pdbisS source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: SluOVhP.pdbluOVhP.pdbpdbVhP.pdb53321935-2125563209-4053062332-1002/ source: po.exe, 00000000.00000000.263199963.00000000012F8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: SluOVhP.pdbSHA2564 source: po.exe, WER694D.tmp.dmp.2.dr
Source: Binary string: System.Drawing.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: mscorlib.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Core.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Drawing.pdb$, source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Windows.Forms.pdbu source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.Xml.ni.pdbRSDS source: WER694D.tmp.dmp.2.dr
Source: Binary string: System.ni.pdb source: WER694D.tmp.dmp.2.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER694D.tmp.dmp.2.dr
Source: initial sampleStatic PE information: section name: .text entropy: 7.317482231797024
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\po.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\po.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Users\user\Desktop\po.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\po.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Virtualization/Sandbox Evasion
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Software Packing
Security Account Manager12
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Process Injection
NTDS1
Remote System Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764543 Sample: po.exe Startdate: 10/12/2022 Architecture: WINDOWS Score: 52 13 Multi AV Scanner detection for submitted file 2->13 15 Machine Learning detection for sample 2->15 6 po.exe 2 2->6         started        process3 process4 8 WerFault.exe 24 9 6->8         started        file5 11 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->11 dropped

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
po.exe73%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
po.exe52%VirustotalBrowse
po.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.founder.com.cn/cnv-s0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/Curs0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.tiro.comH0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
http://en.w0%URL Reputationsafe
http://en.w0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.founder.com.cn/cn/0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.fonts.comic0%URL Reputationsafe
http://www.fonts.comF0%URL Reputationsafe
http://www.founder.com.cn/cne-d0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.sajatypeworks.coma-d0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.founder.com.cn/cnk-s0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/&:0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/.:0%Avira URL Cloudsafe
http://www.sandoll.co.krtio0%Avira URL Cloudsafe
http://www.fontbureau.comion20%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Kal10%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/Kal10%VirustotalBrowse
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
    high
    http://www.fontbureau.compo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000000.267003380.00000000061E0000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://www.fontbureau.com/designersGpo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://www.fontbureau.com/designers/?po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
          high
          http://www.jiyu-kobo.co.jp/.:po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://www.founder.com.cn/cn/bThepo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.fontbureau.com/designers?po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.founder.com.cn/cnv-spo.exe, 00000000.00000003.244591367.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.jiyu-kobo.co.jp/&:po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://www.jiyu-kobo.co.jp/Curspo.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.tiro.compo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241803871.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241730213.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241833835.00000000061FB000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.jiyu-kobo.co.jp/Kal1po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            http://www.fontbureau.com/designerspo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.248623484.00000000061ED000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.248360260.00000000061E9000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              http://www.goodfont.co.krpo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.tiro.comHpo.exe, 00000000.00000003.241803871.00000000061FB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.jiyu-kobo.co.jp/jp/po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://en.wpo.exe, 00000000.00000003.240816738.00000000019BD000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.carterandcone.comlpo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.sajatypeworks.compo.exe, 00000000.00000003.241435364.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241147125.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241200145.0000000006202000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241115693.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241166786.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241396248.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241472437.0000000006202000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241325027.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241363800.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241277174.0000000006204000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241073753.00000000061FB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.founder.com.cn/cn/po.exe, 00000000.00000003.244819081.00000000061E4000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.typography.netDpo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.fontbureau.com/designers/cabarga.htmlNpo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                high
                http://www.founder.com.cn/cn/cThepo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.galapagosdesign.com/staff/dennis.htmpo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://fontfabrik.compo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241803871.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241730213.00000000061FB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.founder.com.cn/cnpo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.244624481.00000000061E4000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.244825933.00000000061E9000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.244880056.00000000061EB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.244591367.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers/frere-jones.htmlpo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  http://www.fonts.comicpo.exe, 00000000.00000003.241413362.00000000061FB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fonts.comFpo.exe, 00000000.00000003.241413362.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241351924.00000000061FB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.comion2po.exe, 00000000.00000000.267003380.00000000061E0000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://www.founder.com.cn/cne-dpo.exe, 00000000.00000003.244591367.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.sajatypeworks.coma-dpo.exe, 00000000.00000003.241435364.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241200145.0000000006202000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241115693.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241472437.0000000006202000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241325027.0000000006203000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241073753.00000000061FB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.galapagosdesign.com/DPleasepo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.jiyu-kobo.co.jp/Y0po.exe, 00000000.00000003.245933960.00000000061E4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://www.fontbureau.com/designers8po.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.248623484.00000000061ED000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://www.sandoll.co.krtiopo.exe, 00000000.00000003.243229870.00000000061E9000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fonts.compo.exe, 00000000.00000003.241310425.00000000061FB000.00000004.00000800.00020000.00000000.sdmp, po.exe, 00000000.00000003.241351924.00000000061FB000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.sandoll.co.krpo.exe, 00000000.00000003.243229870.00000000061E9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.urwpp.deDPleasepo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.zhongyicts.com.cnpo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.founder.com.cn/cnk-spo.exe, 00000000.00000003.244591367.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.sakkal.compo.exe, 00000000.00000000.268561144.00000000073F2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      No contacted IP infos
                      Joe Sandbox Version:36.0.0 Rainbow Opal
                      Analysis ID:764543
                      Start date and time:2022-12-10 08:23:09 +01:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 4m 34s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:po.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:14
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal52.winEXE@2/4@0/0
                      EGA Information:Failed
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 93.184.221.240, 20.42.73.29
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtSetInformationFile calls found.
                      TimeTypeDescription
                      08:24:09API Interceptor1x Sleep call for process: po.exe modified
                      08:24:26API Interceptor1x Sleep call for process: WerFault.exe modified
                      No context
                      No context
                      No context
                      No context
                      No context
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):1.0876814123311422
                      Encrypted:false
                      SSDEEP:192:X9wLuiNLokHBUZMXCaKeCiAKmv/u7sPS274Itn:tQNMsBUZMXCaa/u7sPX4Itn
                      MD5:3A56194BF622812434FC097E7015CE0E
                      SHA1:46C04EEEC96049691F870B078020975112D0FCB9
                      SHA-256:3439567B714DEEC8105D2210913377477C580F25FC114D0C8C89E8F7E838C47D
                      SHA-512:9172706850F7FB0149878A1EB4356033009F88C8668C3C9F71CC7C6047FCE5EE538448BDA4B789CED124DCED571B6041A33DB960307D1401C77CAE555BA0EF65
                      Malicious:true
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.5.1.6.3.0.5.6.1.3.3.9.3.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.5.1.6.3.0.5.7.3.8.3.9.3.2.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.a.0.8.0.c.e.-.a.0.f.d.-.4.a.a.b.-.8.a.b.4.-.a.0.8.d.4.1.f.6.2.2.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.5.1.2.3.a.0.-.d.5.4.9.-.4.6.7.2.-.8.5.2.e.-.b.3.1.3.f.1.c.e.5.a.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.p.o...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.l.u.O.V.h.P...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.5.c.-.0.0.0.1.-.0.0.1.f.-.b.f.7.7.-.e.1.c.d.b.3.0.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.0.1.c.a.3.8.0.6.f.4.3.7.9.3.d.f.3.7.b.d.3.1.f.8.f.b.7.3.9.8.9.0.0.0.0.0.0.0.0.!.0.0.0.0.b.3.f.f.3.2.9.9.a.b.c.9.9.5.9.5.b.9.c.c.e.7.2.d.3.c.a.a.8.f.6.8.0.f.0.3.9.8.0.e.!.p.o...e.
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Sat Dec 10 16:24:16 2022, 0x1205a4 type
                      Category:dropped
                      Size (bytes):271835
                      Entropy (8bit):4.8160753684805195
                      Encrypted:false
                      SSDEEP:3072:aHIhG0ua8Jjtsjd+pH8dJ1xSBki0btuUCgUlv49gIOgF5byoF5iH:300uaIpcdJ1xmf+uTjlg9RpDby4
                      MD5:A6F1FD440CC365F41826B49A8E76F62E
                      SHA1:9750F5153E36FB5D4172D22F8B7DF40B8220844E
                      SHA-256:137CA56627096BE439DFA5129A28E74D1A09FA735B6EE73246F0428BBA21412E
                      SHA-512:19AED236F253CCBC212D69A41F5190126BE60BB388D36F3CE9704D01BCCBCFDD49223720856E39E3ABD37DE92A16C421F3CEF1D16CF3D4569C927347393655A6
                      Malicious:false
                      Reputation:low
                      Preview:MDMP....... ..........c............$...............,......../...=..........T.......8...........T...........................< ..........("...................................................................U...........B......."......GenuineIntelW...........T.......\......c.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8392
                      Entropy (8bit):3.7015506456488967
                      Encrypted:false
                      SSDEEP:192:Rrl7r3GLNiJY6u/RM6YqpSUbBIgmfZa+YSvCprA89bF2sfA3m:RrlsNim6u/q6Y0SUlIgmfNYSqFVfN
                      MD5:F8DE7764CE60055C42562364214A656D
                      SHA1:7E9AAFF4B60F7A2358672B478DCF9B7FFAE1680A
                      SHA-256:8F6ED6062B64EB805D72DD71844FDBBDF0CE4700B74B3A1884825458B2D5A21F
                      SHA-512:225D5DAE123461CA99C12C12BC1F0452D2DE1DE324CFDAC8F69892170EDDEA77BC919AB7D077896E6B8EC5943AB45C70C8410A82A02B385B692A1EA36592ADAC
                      Malicious:false
                      Reputation:low
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.1.1.6.<./.P.i.d.>.......
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4712
                      Entropy (8bit):4.491367087892378
                      Encrypted:false
                      SSDEEP:48:cvIwSD8zsbJgtWI9zjWgc8sqYjX8fm8M4JQo8FC+q8vkHWSQAmKed:uITf1MSgrsqYgJQAKrSQAmKed
                      MD5:CCFD45ECDB3F86C758E38D151835E6B6
                      SHA1:20202FCC6AF0BCFA818658EF2CC87757229F1711
                      SHA-256:AF6769B7B6478015923ABA4ED89360457D79FA484AA9E6E0FD13C52BC38E259D
                      SHA-512:730F352594D73D2666B957833CAA9E3E0D595864D84D7C4E26170FD89B183B0B04D9C402E52DD844B11CD7B695554C81D5A7D2B08FE5C34CAD5ECD92FC7C9BFC
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1817374" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.3099462542772065
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      • Win32 Executable (generic) a (10002005/4) 49.75%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:po.exe
                      File size:742912
                      MD5:1366f09969c727410c578b1cbbc3d7bb
                      SHA1:b3ff3299abc99595b9cce72d3caa8f680f03980e
                      SHA256:0f371fd55d2f262b3e904d6249299f9b259b37e7f1d6b972c65d258390fe198e
                      SHA512:e1c4e4cc9fc4ec58c10eeb4245b4cc540bd743bd46a3982cefc7b739f25b8c2c290d935afa2cb3d06f823ee2feaebc3d39a1dca71ed4a48dae1c3d4fdb2bdeeb
                      SSDEEP:12288:faMBuDIUxig8DwfbgO2iN6SC7oQgU46MF5/2Mk4OHZjUXdxa1RvsUry8x78SseIQ:xk8DwfbgO14SC7oWm/2Mk4OStxm/yC75
                      TLSH:35F48CA54A18295FC1EE37FE98347545C7B212235F16C72C6FB838C82E77EDB861A502
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............P..N...........m... ........@.. ....................................@................................
                      Icon Hash:00828e8e8686b000
                      Entrypoint:0x4b6dca
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x6392B8B1 [Fri Dec 9 04:25:21 2022 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb6d750x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x390.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb26cc0x54.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xb4dd00xb4e00False0.6976773064961991data7.317482231797024IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xb80000x3900x400False0.3740234375data2.8800729313937383IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xba0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountry
                      RT_VERSION0xb80580x334data
                      DLLImport
                      mscoree.dll_CorExeMain
                      No network behavior found
                      050100s020406080100

                      Click to jump to process

                      050100s0.00102030MB

                      Click to jump to process

                      • File
                      • Registry

                      Click to dive into process behavior distribution

                      Click to jump to process

                      Target ID:0
                      Start time:08:23:57
                      Start date:10/12/2022
                      Path:C:\Users\user\Desktop\po.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\Desktop\po.exe
                      Imagebase:0xeb0000
                      File size:742912 bytes
                      MD5 hash:1366F09969C727410C578B1CBBC3D7BB
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:low

                      Target ID:2
                      Start time:08:24:15
                      Start date:10/12/2022
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1192
                      Imagebase:0x1140000
                      File size:434592 bytes
                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:high
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      No disassembly