Loading ...

Play interactive tourEdit tour

Windows Analysis Report PI.exe

Overview

General Information

Sample Name:PI.exe
Analysis ID:502697
MD5:59f7f57b8d6c0e55493eec56977d7cb4
SHA1:0740bebf070c16fca8aa5c0fada48edcc1bd9f12
SHA256:c932b6a0cbaa454668d2429d433fec76e7e544bb26b5bd1865a86aac4fa33434
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Machine Learning detection for sample
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • PI.exe (PID: 4596 cmdline: 'C:\Users\user\Desktop\PI.exe' MD5: 59F7F57B8D6C0E55493EEC56977D7CB4)
    • schtasks.exe (PID: 6840 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gBrGmFSvkGtF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE100.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 7036 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 7100 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • WerFault.exe (PID: 4416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 1476 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • ZAYOk.exe (PID: 3796 cmdline: 'C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ZAYOk.exe (PID: 7112 cmdline: 'C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "account@jeevalabs.com", "Password": "jeeva@123", "Host": "mail.jeevalabs.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000000.400992134.0000000002FE1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000000.400992134.0000000002FE1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000E.00000000.401899331.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000000.401899331.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000E.00000002.429850923.0000000002FE1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              14.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                14.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  14.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    14.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 14.0.RegSvcs.exe.400000.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "account@jeevalabs.com", "Password": "jeeva@123", "Host": "mail.jeevalabs.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: PI.exeVirustotal: Detection: 25%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: PI.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\gBrGmFSvkGtF.exeJoe Sandbox ML: detected
                      Source: 14.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 14.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 14.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: PI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: PI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.408012676.0000000004E2B000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbu source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: ZAYOk.exe, ZAYOk.exe.14.dr
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbsoft.NET/Framework/v4.0.30319/RegSvcs.exerd source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbrC source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb4 source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000002.429361623.000000000150B000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 0000000E.00000002.429361623.000000000150B000.00000004.00000001.sdmp
                      Source: Binary string: sxs.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbMZ source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: indows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll.pdb source: RegSvcs.exe, 0000000E.00000002.429218819.0000000001466000.00000004.00000020.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp
                      Source: Binary string: wbemdisp.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000E.00000002.430362962.00000000061E9000.00000004.00000001.sdmp, ZAYOk.exe, 00000013.00000000.377676212.00000000003C2000.00000002.00020000.sdmp, ZAYOk.exe, 00000017.00000000.395241960.0000000000F02000.00000002.00020000.sdmp, ZAYOk.exe.14.dr
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.pdbCustomMarshalers.dllCustomMarshalers.dll source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.416144758.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdbW source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb source: WerFault.exe, 0000001B.00000003.416144758.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.pdb3 source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb=G source: RegSvcs.exe, 0000000E.00000000.400534351.000000000150B000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdbCA source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: RegSvcs.pdbr source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: mscorlib.ni.pdbW source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbj source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: System.Management.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: wbemprox.pdbY source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 0000000E.00000000.400421661.0000000001466000.00000004.00000020.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb0s source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb66 source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdbPhyCr source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbuW source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001B.00000003.416144758.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: shcore.pdbVhcC source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wbemcomn.pdbw source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: fastprox.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbKV source: RegSvcs.exe, 0000000E.00000002.429361623.000000000150B000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.pdb source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Xml.pdb" source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb" source: WerFault.exe, 0000001B.00000003.416144758.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp
                      Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Core.pdbl source: WER86C6.tmp.dmp.27.dr
                      Source: RegSvcs.exe, 0000000E.00000000.400992134.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 0000000E.00000000.400992134.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 0000000E.00000000.400992134.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: http://bwoMKP.com
                      Source: WerFault.exe, 0000001B.00000003.425532451.0000000004D42000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                      Source: WerFault.exe, 0000001B.00000003.414423473.0000000005630000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                      Source: Amcache.hve.27.drString found in binary or memory: http://upx.sf.net
                      Source: RegSvcs.exe, 0000000E.00000000.400992134.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: WerFault.exe, 0000001B.00000002.427879512.0000000004E5C000.00000004.00000001.sdmpString found in binary or memory: https://watson.telemetry.m
                      Source: RegSvcs.exe, 0000000E.00000000.401899331.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 0000000E.00000000.400992134.0000000002FE1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 14.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b3B464F1Cu002d6D38u002d4D62u002d82BBu002d984642A7F74Au007d/u003968FCA44u002dBFFBu002d4D3Eu002d9B95u002d6D42C6640E89.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 14.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3B464F1Cu002d6D38u002d4D62u002d82BBu002d984642A7F74Au007d/u003968FCA44u002dBFFBu002d4D3Eu002d9B95u002d6D42C6640E89.csLarge array initialization: .cctor: array initializer size 11957
                      Source: 14.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3B464F1Cu002d6D38u002d4D62u002d82BBu002d984642A7F74Au007d/u003968FCA44u002dBFFBu002d4D3Eu002d9B95u002d6D42C6640E89.csLarge array initialization: .cctor: array initializer size 11957
                      Source: PI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 1476
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02DD47A014_2_02DD47A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02DD3CCC14_2_02DD3CCC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02DD816814_2_02DD8168
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02DD46B014_2_02DD46B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_02DD549014_2_02DD5490
                      Source: PI.exe, 00000000.00000000.271353757.0000000000953000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamelpH3Mlb.exeD vs PI.exe
                      Source: PI.exeBinary or memory string: OriginalFilenamelpH3Mlb.exeD vs PI.exe
                      Source: PI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: gBrGmFSvkGtF.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: PI.exeVirustotal: Detection: 25%
                      Source: C:\Users\user\Desktop\PI.exeFile read: C:\Users\user\Desktop\PI.exeJump to behavior
                      Source: PI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\PI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PI.exe 'C:\Users\user\Desktop\PI.exe'
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gBrGmFSvkGtF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE100.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe 'C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe'
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe 'C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe'
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7100 -s 1476
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gBrGmFSvkGtF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE100.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PI.exeFile created: C:\Users\user\AppData\Roaming\gBrGmFSvkGtF.exeJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE100.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@13/12@0/0
                      Source: C:\Users\user\Desktop\PI.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
                      Source: C:\Users\user\Desktop\PI.exeMutant created: \Sessions\1\BaseNamedObjects\yfvuiREAIAv
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
                      Source: 14.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.0.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\PI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: PI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001B.00000003.408012676.0000000004E2B000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbu source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb source: ZAYOk.exe, ZAYOk.exe.14.dr
                      Source: Binary string: clr.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbsoft.NET/Framework/v4.0.30319/RegSvcs.exerd source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdbrC source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdb4 source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: \??\C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000002.429361623.000000000150B000.00000004.00000001.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RegSvcs.exe, 0000000E.00000002.429361623.000000000150B000.00000004.00000001.sdmp
                      Source: Binary string: sxs.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.PDB source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbMZ source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: indows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll.pdb source: RegSvcs.exe, 0000000E.00000002.429218819.0000000001466000.00000004.00000020.sdmp
                      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp
                      Source: Binary string: wbemdisp.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbegSvcs.pdbpdbvcs.pdbv4.0.30319\RegSvcs.pdb3062332-1002 source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 0000000E.00000002.430362962.00000000061E9000.00000004.00000001.sdmp, ZAYOk.exe, 00000013.00000000.377676212.00000000003C2000.00000002.00020000.sdmp, ZAYOk.exe, 00000017.00000000.395241960.0000000000F02000.00000002.00020000.sdmp, ZAYOk.exe.14.dr
                      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: ole32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: System.Configuration.pdbCustomMarshalers.dllCustomMarshalers.dll source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: mscorlib.pdb source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.416144758.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdbW source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb source: WerFault.exe, 0000001B.00000003.416144758.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.pdb3 source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: \??\C:\Windows\symbols\exe\RegSvcs.pdb=G source: RegSvcs.exe, 0000000E.00000000.400534351.000000000150B000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdbCA source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: RegSvcs.pdbr source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.ni.pdbRSDSD source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: mscorlib.ni.pdbW source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: RegSvcs.pdbj source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: System.Management.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: wbemprox.pdbY source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp
                      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegSvcs.exe, 0000000E.00000000.400421661.0000000001466000.00000004.00000020.sdmp
                      Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: shell32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.pdb0s source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: o0C:\Windows\RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: System.pdb66 source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: cfgmgr32.pdbPhyCr source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: System.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: .pdb source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbuW source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: symbols\exe\RegSvcs.pdbzX source: RegSvcs.exe, 0000000E.00000000.402155896.00000000010F8000.00000004.00000001.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000001B.00000003.416144758.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdbRSDS source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: shcore.pdbVhcC source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wbemcomn.pdbw source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: fastprox.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: version.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\mscorlib.pdbKV source: RegSvcs.exe, 0000000E.00000002.429361623.000000000150B000.00000004.00000001.sdmp
                      Source: Binary string: CustomMarshalers.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.pdb source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Xml.pdb" source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.pdb" source: WerFault.exe, 0000001B.00000003.416144758.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001B.00000003.416421330.0000000005430000.00000004.00000040.sdmp
                      Source: Binary string: psapi.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001B.00000003.416271285.00000000052C1000.00000004.00000001.sdmp
                      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001B.00000003.416122787.0000000005431000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.PDB source: RegSvcs.exe, 0000000E.00000002.430288250.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: combase.pdbk source: WerFault.exe, 0000001B.00000003.416339616.0000000005437000.00000004.00000040.sdmp
                      Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: \??\C:\Windows\exe\RegSvcs.pdb source: RegSvcs.exe, 0000000E.00000000.401366087.0000000006194000.00000004.00000001.sdmp
                      Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000001B.00000003.414727052.00000000055F0000.00000004.00000001.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000001B.00000003.416213243.000000000544E000.00000004.00000001.sdmp
                      Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp
                      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001B.00000003.416457054.000000000543A000.00000004.00000040.sdmp, WER86C6.tmp.dmp.27.dr
                      Source: Binary string: Microsoft.VisualBasic.pdb source: WER86C6.tmp.dmp.27.dr
                      Source: Binary string: System.Core.pdbl source: WER86C6.tmp.dmp.27.dr
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.07928703549
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.07928703549
                      Source: C:\Users\user\Desktop\PI.exeFile created: C:\Users\user\AppData\Roaming\gBrGmFSvkGtF.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gBrGmFSvkGtF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE100.tmp'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZAYOkJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZAYOkJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PI.exe TID: 4532Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe TID: 4576Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exe TID: 5936Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\PI.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9744Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PI.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ZAYOk\ZAYOk.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Amcache.hve.27.drBinary or memory string: VMware
                      Source: Amcache.hve.27.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: Amcache.hve.27.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.27.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.27.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.27.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                      Source: Amcache.hve.27.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.27.drBinary or memory string: VMware7,1
                      Source: Amcache.hve.27.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.27.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.27.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: WerFault.exe, 0000001B.00000002.427731467.0000000004D30000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: Amcache.hve.27.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.27.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.27.drBinary or memory string: VMware, Inc.me
                      Source: Amcache.hve.27.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
                      Source: Amcache.hve.27.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                      Source: Amcache.hve.27.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                      Source: C:\Users\user\Desktop\PI.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gBrGmFSvkGtF' /XML 'C:\Users\user\AppData\Local\Temp\tmpE100.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\PI.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
                      Source: RegSvcs.exe, 0000000E.00000000.400656663.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 0000000E.00000000.400656663.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 0000000E.00000000.400656663.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 0000000E.00000000.400656663.00000000019C0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Users\user\Desktop\PI.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PI.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation