Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe

Overview

General Information

Sample Name:PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
Analysis ID:680480
MD5:62881881e70f226d8c23a01cdc7287dd
SHA1:e714f5f755f77c24cc7ff4b8a593a3fe76cabeb7
SHA256:b6b281587ead8881ceb6f0f6ba621f2d0c40e120e3314dcac601cc7f5877b3da
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.artrsllc.com/", "Username": "whitemoney11@artrsllc.com", "Password": "aJ{?30{raou;"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x3005f:$a13: get_DnsResolver
      • 0x2e86f:$a20: get_LastAccessed
      • 0x309dd:$a27: set_InternalServerPort
      • 0x30d0f:$a30: set_GuidMasterKey
      • 0x2e976:$a33: get_Clipboard
      • 0x2e984:$a34: get_Keyboard
      • 0x2fc7c:$a35: get_ShiftKeyDown
      • 0x2fc8d:$a36: get_AltKeyDown
      • 0x2e991:$a37: get_Password
      • 0x2f42c:$a38: get_PasswordHash
      • 0x3045f:$a39: get_DefaultCredentials
      00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x30d28:$s10: logins
              • 0x3078f:$s11: credential
              • 0x2cd76:$g1: get_Clipboard
              • 0x2cd84:$g2: get_Keyboard
              • 0x2cd91:$g3: get_Password
              • 0x2e06c:$g4: get_CtrlKeyDown
              • 0x2e07c:$g5: get_ShiftKeyDown
              • 0x2e08d:$g6: get_AltKeyDown
              0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2e45f:$a13: get_DnsResolver
              • 0x2cc6f:$a20: get_LastAccessed
              • 0x2eddd:$a27: set_InternalServerPort
              • 0x2f10f:$a30: set_GuidMasterKey
              • 0x2cd76:$a33: get_Clipboard
              • 0x2cd84:$a34: get_Keyboard
              • 0x2e07c:$a35: get_ShiftKeyDown
              • 0x2e08d:$a36: get_AltKeyDown
              • 0x2cd91:$a37: get_Password
              • 0x2d82c:$a38: get_PasswordHash
              • 0x2e85f:$a39: get_DefaultCredentials
              4.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 11 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeVirustotal: Detection: 52%Perma Link
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeReversingLabs: Detection: 36%
                Antivirus detection for URL or domain
                Source: http://ftp.artrsllc.comAvira URL Cloud: Label: malware
                Source: ftp://ftp.artrsllc.com/whitemoney11Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: ftp.artrsllc.comVirustotal: Detection: 14%Perma Link
                Machine Learning detection for sample
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeJoe Sandbox ML: detected
                Source: 4.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.artrsllc.com/", "Username": "whitemoney11@artrsllc.com", "Password": "aJ{?30{raou;"}
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Joe Sandbox ViewASN Name: DIMENOCUS DIMENOCUS
                Source: Joe Sandbox ViewIP Address: 107.161.178.166 107.161.178.166
                Source: unknownFTP traffic detected: 107.161.178.166:21 -> 192.168.2.7:49765 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.artrsllc.com/whitemoney11
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegSvcs.exe, 00000004.00000002.614573955.000000000369F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000003.398330369.00000000013D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://A2hAjAc0p86apb.com
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ZhDbKe.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: RegSvcs.exe, 00000004.00000002.614649601.00000000036AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.artrsllc.com
                Source: RegSvcs.exe, 00000004.00000002.614573955.000000000369F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345901174.0000000005C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.372509100.00000000013C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345471162.0000000005C59000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345431980.0000000005C51000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345410083.0000000005C50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345835240.0000000005C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
                Source: RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownDNS traffic detected: queries for: ftp.artrsllc.com

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                .NET source code contains very large array initializations
                Source: 4.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b606A6EF8u002d1437u002d42D4u002dBB2Bu002dDB42737768F5u007d/u003257ED7A8u002d3564u002d4CB1u002dA8C6u002dF677993BBB48.csLarge array initialization: .cctor: array initializer size 11612
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTRMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, score = file, reference = Internal Research
                Source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeCode function: 0_2_011F50C2
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeCode function: 0_2_011FC994
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_017AF080
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_017AF3C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_017AAD20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069872B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698C398
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069898F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06987750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06983330
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BB358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BBB68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B28D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B8040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BC440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BBA18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069BC3DC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B9B70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B3CB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06D036A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06D04528
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06D01108
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06D08A08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698D3D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698A348
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.373214199.0000000002E91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.373214199.0000000002E91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegwctxUAuFOvrUAEZshgxt.exe4 vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000000.336604589.0000000000912000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameE7OiW.exeH vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.383751391.0000000005DC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.387769467.00000000077D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegwctxUAuFOvrUAEZshgxt.exe4 vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.379273016.0000000003417000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeBinary or memory string: OriginalFilenameE7OiW.exeH vs PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeVirustotal: Detection: 52%
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeReversingLabs: Detection: 36%
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe "C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe"
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: 4.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 4.0.RegSvcs.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698179A push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981792 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698178E push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981782 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817B9 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817B2 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817AA push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817A1 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817DA push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817D1 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817CA push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817C2 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817EA push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069817E2 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698177A push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06982520 push edi; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06983330 push es; iretd
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06983330 push es; iretd
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069818BD push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069840B1 push es; iretd
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069818DD push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698181A push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981816 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981832 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698182A push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981826 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0698187E push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981872 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981876 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981862 push es; ret
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_06981866 push es; ret
                Source: initial sampleStatic PE information: section name: .text entropy: 7.410029605740152
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeFile created: \po#8155 pc_etg000137 cont wt ashwagandha 07-08-2022 wrdooo1.exe
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeFile created: \po#8155 pc_etg000137 cont wt ashwagandha 07-08-2022 wrdooo1.exe
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe TID: 6196Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9568
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.376120852.00000000030E7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: RegSvcs.exe, 00000004.00000002.618056160.0000000006719000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000003.408884630.0000000006716000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_069B8040 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 436000
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1137008
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: Yara matchFile source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.40487a8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.3f65328.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe PID: 6172, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6444, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception211
                Process Injection                		1
                Masquerading                		2
                OS Credential Dumping                		211
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Exfiltration Over Alternative Protocol                		1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Disable or Modify Tools                		1
                Credentials in Registry                		131
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol11
                Archive Collected Data                		Exfiltration Over Bluetooth1
                Non-Application Layer Protocol                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Application Window Discovery                		SMB/Windows Admin Shares2
                Data from Local System                		Automated Exfiltration11
                Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)211
                Process Injection                		NTDS1
                Remote System Discovery                		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets114
                System Information Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common2
                Obfuscated Files or Information                		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                Software Packing                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe52%VirustotalBrowse
                PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe12%MetadefenderBrowse
                PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe37%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                4.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                SourceDetectionScannerLabelLink
                ftp.artrsllc.com15%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://ZhDbKe.com0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.zhongyicts.com.cne0%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.founder.com.cn/cn/0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://ftp.artrsllc.com100%Avira URL Cloudmalware
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                ftp://ftp.artrsllc.com/whitemoney11100%Avira URL Cloudmalware
                http://fontfabrik.com0%URL Reputationsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.fontbureau.comgrito0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                http://A2hAjAc0p86apb.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ftp.artrsllc.com
                		107.161.178.166
                		truetrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://ZhDbKe.comRegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.apache.org/licenses/LICENSE-2.0PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersGPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers/?PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bThePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers?PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwRegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345901174.0000000005C54000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345835240.0000000005C54000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345471162.0000000005C59000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345431980.0000000005C51000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000003.345410083.0000000005C50000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ftp.artrsllc.comRegSvcs.exe, 00000004.00000002.614649601.00000000036AD000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/cThePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              ftp://ftp.artrsllc.com/whitemoney11RegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://fontfabrik.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmp, PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsiRegSvcs.exe, 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleasePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comgritoPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.372509100.00000000013C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleasePO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.384454676.0000000006F32000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000004.00000002.614573955.000000000369F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sakkal.comPO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe, 00000000.00000002.385827875.000000000701C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://A2hAjAc0p86apb.comRegSvcs.exe, 00000004.00000002.614573955.000000000369F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000003.398330369.00000000013D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      107.161.178.166
                                      		ftp.artrsllc.comUnited States
                                      		33182DIMENOCUStrue

                                      General Information

                                      Joe Sandbox Version:35.0.0 Citrine
                                      Analysis ID:680480
                                      Start date and time: 08/08/202217:18:132022-08-08 17:18:13 +02:00
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 51s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:18
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HDC Information:Failed
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Adjust boot time
                                      • Enable AMSI

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                      • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      17:19:29API Interceptor1x Sleep call for process: PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe modified
                                      17:19:39API Interceptor695x Sleep call for process: RegSvcs.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASNs

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.355304211458859
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                      MD5:69206D3AF7D6EFD08F4B4726998856D3
                                      SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                      SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                      SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.406669599964873
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                                      File size:880128
                                      MD5:62881881e70f226d8c23a01cdc7287dd
                                      SHA1:e714f5f755f77c24cc7ff4b8a593a3fe76cabeb7
                                      SHA256:b6b281587ead8881ceb6f0f6ba621f2d0c40e120e3314dcac601cc7f5877b3da
                                      SHA512:ae0cdefc3ae27ee559dd261eef14130210b243a37fd51d0cb3abb67f273cd9f3280adcaeeb8d544f6ff32c0d0f1bc8b6b8e4a9092f48e6cb0ac7cb27f130e4d3
                                      SSDEEP:24576:Jgrg0jwi9BHtgL1NSin5uq5n11fDARrII:qg0RBN8146uknrfDA
                                      TLSH:3F155CA9319071DFD927CA72CAA81C34EA517C77A71B921794633198DB3E987DF200B3
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P.b..............P..X...........v... ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x4d76ae
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x62F05019 [Sun Aug 7 23:51:53 2022 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd76540x57.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x11f0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000xd56b40xd5800False0.7426186054596019data7.410029605740152IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xd80000x11f00x1200False0.3934461805555556data5.04651876632834IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xda0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_VERSION0xd80a00x334data
                                      RT_MANIFEST0xd83d40xe15XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 8, 2022 17:19:52.324122906 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.453358889 CEST2149765107.161.178.166192.168.2.7
                                      Aug 8, 2022 17:19:52.453870058 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.461240053 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.583769083 CEST2149765107.161.178.166192.168.2.7
                                      Aug 8, 2022 17:19:52.583904028 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.590502977 CEST2149765107.161.178.166192.168.2.7
                                      Aug 8, 2022 17:19:52.590625048 CEST4976521192.168.2.7107.161.178.166
                                      Aug 8, 2022 17:19:52.590635061 CEST2149765107.161.178.166192.168.2.7
                                      Aug 8, 2022 17:19:52.590712070 CEST4976521192.168.2.7107.161.178.166

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Aug 8, 2022 17:19:52.141880035 CEST6097853192.168.2.78.8.8.8
                                      Aug 8, 2022 17:19:52.280396938 CEST53609788.8.8.8192.168.2.7

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Aug 8, 2022 17:19:52.141880035 CEST192.168.2.78.8.8.80xa05eStandard query (0)ftp.artrsllc.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Aug 8, 2022 17:19:52.280396938 CEST8.8.8.8192.168.2.70xa05eNo error (0)ftp.artrsllc.com107.161.178.166A (IP address)IN (0x0001)

                                      FTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Aug 8, 2022 17:19:52.583769083 CEST2149765107.161.178.166192.168.2.7220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 10:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Aug 8, 2022 17:19:52.590502977 CEST2149765107.161.178.166192.168.2.7220 Logout.

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:17:19:18
                                      Start date:08/08/2022
                                      Path:C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\PO#8155 PC_ETG000137 CONT WT Ashwagandha 07-08-2022 WRDOOO1.exe"
                                      Imagebase:0x910000
                                      File size:880128 bytes
                                      MD5 hash:62881881E70F226D8C23A01CDC7287DD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.379474394.0000000003E99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                      Reputation:low

                                      General

                                      Target ID:4
                                      Start time:17:19:32
                                      Start date:08/08/2022
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:{path}
                                      Imagebase:0xf80000
                                      File size:45152 bytes
                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000004.00000000.367436517.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.611090100.0000000003351000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high

                                      Disassembly

                                      No disassembly