Windows Analysis Report
PURCHASE ORDER.exe

Overview

General Information

Sample Name: PURCHASE ORDER.exe
Analysis ID: 755961
MD5: a55b4bb09398659d69f1b8b37541e621
SHA1: 975f7c38780d00ae497fcb6addf31f5ad8cdb090
SHA256: ea45a2032eebe69d32b15d3ea505330eb00b5026107e8e123fb9fb9e2bf87496
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PURCHASE ORDER.exe ReversingLabs: Detection: 60%
Source: PURCHASE ORDER.exe Virustotal: Detection: 47% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe ReversingLabs: Detection: 60%
Machine Learning detection for sample
Source: PURCHASE ORDER.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}
Uses 32bit PE files
Source: PURCHASE ORDER.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: PURCHASE ORDER.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49695 -> 119.148.27.3:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49695 -> 119.148.27.3:587
Source: RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://JXqRNJ.com
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000003.00000002.423143006.0000000005DBC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.orogenicgroup-bd.com
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: PURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574175039.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574144305.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://0boQaB1sN6dM.org
Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: mail.orogenicgroup-bd.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PURCHASE ORDER.exe
.NET source code contains very large array initializations
Source: 3.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1A51FE34u002d102Bu002d4B81u002dB647u002d9B5BFE7FC3FBu007d/u00339A8F051u002d32C9u002d4CC9u002dBC08u002dBE27BEFD88F4.cs Large array initialization: .cctor: array initializer size 10971
Uses 32bit PE files
Source: PURCHASE ORDER.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01553D9D 0_2_01553D9D
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01551C40 0_2_01551C40
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01550EB0 0_2_01550EB0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_015518F0 0_2_015518F0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_015518E0 0_2_015518E0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01556508 0_2_01556508
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01551C31 0_2_01551C31
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01556F18 0_2_01556F18
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01553F9B 0_2_01553F9B
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01551ED8 0_2_01551ED8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01551EC9 0_2_01551EC9
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_01550EA0 0_2_01550EA0
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0160E2C8 0_2_0160E2C8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0160E2D8 0_2_0160E2D8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_0160BFC4 0_2_0160BFC4
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_031C65B8 0_2_031C65B8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Code function: 0_2_031C65A9 0_2_031C65A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00DEE16B 3_2_00DEE16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00DEDA01 3_2_00DEDA01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_04D7F780 3_2_04D7F780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_04D7B520 3_2_04D7B520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_04D7FAC8 3_2_04D7FAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05D30548 3_2_05D30548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05D3C508 3_2_05D3C508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05D32638 3_2_05D32638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05D3CB40 3_2_05D3CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E6A5A4 3_2_05E6A5A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E6F910 3_2_05E6F910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E6CD19 3_2_05E6CD19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E6F4CF 3_2_05E6F4CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E60040 3_2_05E60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E65428 3_2_05E65428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E67E40 3_2_05E67E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E61F88 3_2_05E61F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E885B8 3_2_05E885B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E81958 3_2_05E81958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E8A4C0 3_2_05E8A4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E8E770 3_2_05E8E770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E84E28 3_2_05E84E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E8D578 3_2_05E8D578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E8D518 3_2_05E8D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E873D0 3_2_05E873D0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 05D36F60 appears 52 times
Sample file is different than original file name gathered from version info
Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.348745127.00000000078A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.343797180.0000000004468000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.343797180.0000000004468000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameqyB5isNZ.exe8 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.346074250.00000000056D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCassa.dll< vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs PURCHASE ORDER.exe
Source: PURCHASE ORDER.exe Binary or memory string: OriginalFilenameqyB5isNZ.exe8 vs PURCHASE ORDER.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
Source: PURCHASE ORDER.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PAyWOGoRT.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PURCHASE ORDER.exe ReversingLabs: Detection: 60%
Source: PURCHASE ORDER.exe Virustotal: Detection: 47%
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Users\user\Desktop\PURCHASE ORDER.exe Jump to behavior
Source: PURCHASE ORDER.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File created: C:\Users\user\AppData\Local\Temp\tmpF89B.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/9@2/1
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: RegSvcs.exe, 00000003.00000002.417165095.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.573889145.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: PURCHASE ORDER.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Mutant created: \Sessions\1\BaseNamedObjects\nnVWvWgWBznoFzzQRNsbxIAQxt
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2040:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PURCHASE ORDER.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PURCHASE ORDER.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05D3F488 push esp; retf 3_2_05D3F5A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05D3E11E push ecx; iretd 3_2_05D3E11F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05D3E123 push eax; iretd 3_2_05D3E124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E63F21 push E904DDD4h; retf 0001h 3_2_05E63F26
Source: initial sample Static PE information: section name: .text entropy: 7.897447602261709
Source: initial sample Static PE information: section name: .text entropy: 7.897447602261709
Drops PE files
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe File created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PAyWOGoRT.exe PID: 1520, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 2168 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe TID: 6064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 2032 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 5168 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 9777 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 9736
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99843 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99717 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99607 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98923 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98800 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98421 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98199 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98076 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97825 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97483 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97042 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96715 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96608 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96044 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95826 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95716 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95499 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95281 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95046 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94933 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94390 Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98795
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97515
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97406
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97295
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95321
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94436
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94327
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 0000000C.00000002.577267438.0000000006000000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05E86BF8 LdrInitializeThunk, 3_2_05E86BF8
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 80A008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 872008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Users\user\Desktop\PURCHASE ORDER.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior