Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PURCHASE ORDER.exe

Overview

General Information

Sample Name:PURCHASE ORDER.exe
Analysis ID:755961
MD5:a55b4bb09398659d69f1b8b37541e621
SHA1:975f7c38780d00ae497fcb6addf31f5ad8cdb090
SHA256:ea45a2032eebe69d32b15d3ea505330eb00b5026107e8e123fb9fb9e2bf87496
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • PURCHASE ORDER.exe (PID: 5196 cmdline: C:\Users\user\Desktop\PURCHASE ORDER.exe MD5: A55B4BB09398659D69F1B8B37541E621)
    • schtasks.exe (PID: 1948 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 4212 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • PAyWOGoRT.exe (PID: 1520 cmdline: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe MD5: A55B4BB09398659D69F1B8B37541E621)
    • schtasks.exe (PID: 1240 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5292 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 3836 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • yGbzOMp.exe (PID: 1604 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • yGbzOMp.exe (PID: 4184 cmdline: "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 3720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}
SourceRuleDescriptionAuthorStrings
00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x31d44:$a13: get_DnsResolver
      • 0x3043b:$a20: get_LastAccessed
      • 0x32772:$a27: set_InternalServerPort
      • 0x32aa7:$a30: set_GuidMasterKey
      • 0x3054d:$a33: get_Clipboard
      • 0x3055b:$a34: get_Keyboard
      • 0x31928:$a35: get_ShiftKeyDown
      • 0x31939:$a36: get_AltKeyDown
      • 0x30568:$a37: get_Password
      • 0x31083:$a38: get_PasswordHash
      • 0x321a6:$a39: get_DefaultCredentials
      00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 15 entries
          SourceRuleDescriptionAuthorStrings
          3.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            3.0.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.PURCHASE ORDER.exe.43a0ee0.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.PURCHASE ORDER.exe.43a0ee0.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  3.0.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x34a83:$s10: logins
                  • 0x344fd:$s11: credential
                  • 0x3074d:$g1: get_Clipboard
                  • 0x3075b:$g2: get_Keyboard
                  • 0x30768:$g3: get_Password
                  • 0x31b18:$g4: get_CtrlKeyDown
                  • 0x31b28:$g5: get_ShiftKeyDown
                  • 0x31b39:$g6: get_AltKeyDown
                  Click to see the 7 entries

                  Persistence and Installation Behavior

                  barindex
                  Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\PURCHASE ORDER.exe, ParentImage: C:\Users\user\Desktop\PURCHASE ORDER.exe, ParentProcessId: 5196, ParentProcessName: PURCHASE ORDER.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp, ProcessId: 1948, ProcessName: schtasks.exe
                  No Snort rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: PURCHASE ORDER.exeReversingLabs: Detection: 60%
                  Source: PURCHASE ORDER.exeVirustotal: Detection: 47%Perma Link
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeReversingLabs: Detection: 60%
                  Source: PURCHASE ORDER.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeJoe Sandbox ML: detected
                  Source: 3.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}
                  Source: PURCHASE ORDER.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: PURCHASE ORDER.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
                  Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
                  Source: global trafficTCP traffic: 192.168.2.4:49695 -> 119.148.27.3:587
                  Source: global trafficTCP traffic: 192.168.2.4:49695 -> 119.148.27.3:587
                  Source: RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                  Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://JXqRNJ.com
                  Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: RegSvcs.exe, 00000003.00000002.423143006.0000000005DBC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.orogenicgroup-bd.com
                  Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: PURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574175039.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574144305.0000000002E0F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0boQaB1sN6dM.org
                  Source: RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                  Source: unknownDNS traffic detected: queries for: mail.orogenicgroup-bd.com

                  System Summary

                  barindex
                  Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                  Source: initial sampleStatic PE information: Filename: PURCHASE ORDER.exe
                  Source: 3.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1A51FE34u002d102Bu002d4B81u002dB647u002d9B5BFE7FC3FBu007d/u00339A8F051u002d32C9u002d4CC9u002dBC08u002dBE27BEFD88F4.csLarge array initialization: .cctor: array initializer size 10971
                  Source: PURCHASE ORDER.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01553D9D
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01551C40
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01550EB0
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_015518F0
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_015518E0
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01556508
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01551C31
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01556F18
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01553F9B
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01551ED8
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01551EC9
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_01550EA0
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_0160E2C8
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_0160E2D8
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_0160BFC4
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_031C65B8
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeCode function: 0_2_031C65A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DEE16B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DEDA01
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_04D7F780
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_04D7B520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_04D7FAC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D30548
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D3C508
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D32638
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D3CB40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E6A5A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E6F910
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E6CD19
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E6F4CF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E60040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E65428
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E67E40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E61F88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E885B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E81958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E8A4C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E8E770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E84E28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E8D578
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E8D518
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E873D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 05D36F60 appears 52 times
                  Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
                  Source: PURCHASE ORDER.exe, 00000000.00000002.348745127.00000000078A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
                  Source: PURCHASE ORDER.exe, 00000000.00000002.343797180.0000000004468000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER.exe
                  Source: PURCHASE ORDER.exe, 00000000.00000002.343797180.0000000004468000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqyB5isNZ.exe8 vs PURCHASE ORDER.exe
                  Source: PURCHASE ORDER.exe, 00000000.00000002.346074250.00000000056D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCassa.dll< vs PURCHASE ORDER.exe
                  Source: PURCHASE ORDER.exe, 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs PURCHASE ORDER.exe
                  Source: PURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs PURCHASE ORDER.exe
                  Source: PURCHASE ORDER.exeBinary or memory string: OriginalFilenameqyB5isNZ.exe8 vs PURCHASE ORDER.exe
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                  Source: PURCHASE ORDER.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: PAyWOGoRT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: PURCHASE ORDER.exeReversingLabs: Detection: 60%
                  Source: PURCHASE ORDER.exeVirustotal: Detection: 47%
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Users\user\Desktop\PURCHASE ORDER.exeJump to behavior
                  Source: PURCHASE ORDER.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: unknownProcess created: C:\Users\user\Desktop\PURCHASE ORDER.exe C:\Users\user\Desktop\PURCHASE ORDER.exe
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeJump to behavior
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF89B.tmpJump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/9@2/1
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: RegSvcs.exe, 00000003.00000002.417165095.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.573889145.0000000002DDB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: PURCHASE ORDER.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeMutant created: \Sessions\1\BaseNamedObjects\nnVWvWgWBznoFzzQRNsbxIAQxt
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2040:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3720:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
                  Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: PURCHASE ORDER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: PURCHASE ORDER.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
                  Source: Binary string: RegSvcs.pdb source: yGbzOMp.exe, 00000005.00000000.371961562.0000000000902000.00000002.00000001.01000000.0000000A.sdmp, RegSvcs.exe, 0000000C.00000003.462171566.000000000600D000.00000004.00000800.00020000.00000000.sdmp, yGbzOMp.exe.3.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D3F488 push esp; retf
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D3E11E push ecx; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D3E123 push eax; iretd
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E63F21 push E904DDD4h; retf 0001h
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.897447602261709
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.897447602261709
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeFile created: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeJump to dropped file

                  Boot Survival

                  barindex
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMpJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMpJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes | delete
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes | delete
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Source: Yara matchFile source: 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: PAyWOGoRT.exe PID: 1520, type: MEMORYSTR
                  Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: PURCHASE ORDER.exe, 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exe TID: 2168Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe TID: 6064Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 2032Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 5168Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9777
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9736
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99717
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99607
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99499
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99390
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99281
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99047
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98923
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98800
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98531
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98421
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98312
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98199
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98076
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97937
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97825
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97703
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97593
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97483
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97375
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97265
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97156
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97042
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96937
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96827
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96715
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96608
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96484
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96375
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96265
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96156
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96044
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95937
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95826
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95716
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95499
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95390
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95281
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95172
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94933
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94718
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94609
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94500
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94390
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99874
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99749
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99625
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99515
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99404
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99295
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99186
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99067
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98906
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98795
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98687
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98577
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98465
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98343
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98234
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98015
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97887
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97761
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97625
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97515
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97406
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97295
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97186
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97078
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96962
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96843
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96734
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96607
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96499
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96386
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96280
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96164
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95984
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95874
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95760
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95656
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95546
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95437
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95321
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95218
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95109
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94999
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94874
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94765
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94655
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94546
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94436
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94327
                  Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: RegSvcs.exe, 0000000C.00000002.577267438.0000000006000000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05E86BF8 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 80A008
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 872008
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Users\user\Desktop\PURCHASE ORDER.exe VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeQueries volume information: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PAyWOGoRT.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\PURCHASE ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_05D354C0 GetUserNameW,

                  Stealing of Sensitive Information

                  barindex
                  Source: Yara matchFile source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: Yara matchFile source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Source: Yara matchFile source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.PURCHASE ORDER.exe.43a0ee0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: PURCHASE ORDER.exe PID: 5196, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4212, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3836, type: MEMORYSTR
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts211
                  Windows Management Instrumentation
                  1
                  Scheduled Task/Job
                  211
                  Process Injection
                  1
                  Disable or Modify Tools
                  2
                  OS Credential Dumping
                  1
                  Account Discovery
                  Remote Services11
                  Archive Collected Data
                  Exfiltration Over Other Network Medium1
                  Encrypted Channel
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Scheduled Task/Job
                  1
                  Registry Run Keys / Startup Folder
                  1
                  Scheduled Task/Job
                  11
                  Deobfuscate/Decode Files or Information
                  1
                  Credentials in Registry
                  1
                  File and Directory Discovery
                  Remote Desktop Protocol2
                  Data from Local System
                  Exfiltration Over Bluetooth1
                  Non-Standard Port
                  Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)1
                  Registry Run Keys / Startup Folder
                  3
                  Obfuscated Files or Information
                  Security Account Manager114
                  System Information Discovery
                  SMB/Windows Admin Shares1
                  Email Collection
                  Automated Exfiltration1
                  Non-Application Layer Protocol
                  Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
                  Software Packing
                  NTDS311
                  Security Software Discovery
                  Distributed Component Object ModelInput CaptureScheduled Transfer11
                  Application Layer Protocol
                  SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Masquerading
                  LSA Secrets1
                  Process Discovery
                  SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common131
                  Virtualization/Sandbox Evasion
                  Cached Domain Credentials131
                  Virtualization/Sandbox Evasion
                  VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items211
                  Process Injection
                  DCSync1
                  Application Window Discovery
                  Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                  Hidden Files and Directories
                  Proc Filesystem1
                  System Owner/User Discovery
                  Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                  Remote System Discovery
                  Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 755961 Sample: PURCHASE ORDER.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 7 other signatures 2->54 7 PURCHASE ORDER.exe 6 2->7         started        11 PAyWOGoRT.exe 5 2->11         started        13 yGbzOMp.exe 2 2->13         started        15 yGbzOMp.exe 1 2->15         started        process3 file4 40 C:\Users\user\AppData\Roaming\PAyWOGoRT.exe, PE32 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpF89B.tmp, XML 7->42 dropped 44 C:\Users\user\...\PURCHASE ORDER.exe.log, ASCII 7->44 dropped 70 Writes to foreign memory regions 7->70 72 Injects a PE file into a foreign processes 7->72 17 RegSvcs.exe 2 5 7->17         started        22 schtasks.exe 1 7->22         started        74 Multi AV Scanner detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 24 RegSvcs.exe 4 11->24         started        26 schtasks.exe 1 11->26         started        28 RegSvcs.exe 11->28         started        30 conhost.exe 13->30         started        32 conhost.exe 15->32         started        signatures5 process6 dnsIp7 46 mail.orogenicgroup-bd.com 119.148.27.3, 49695, 49696, 587 AGNI-ASAgniSystemsLimitedBD Bangladesh 17->46 38 C:\Users\user\AppData\Roaming\...\yGbzOMp.exe, PE32 17->38 dropped 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->56 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->58 60 Tries to steal Mail credentials (via file / registry access) 17->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->62 34 conhost.exe 22->34         started        64 Tries to harvest and steal ftp login credentials 24->64 66 Tries to harvest and steal browser information (history, passwords, etc) 24->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->68 36 conhost.exe 26->36         started        file8 signatures9 process10

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  PURCHASE ORDER.exe61%ReversingLabsByteCode-MSIL.Trojan.Taskun
                  PURCHASE ORDER.exe48%VirustotalBrowse
                  PURCHASE ORDER.exe100%Joe Sandbox ML
                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\PAyWOGoRT.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\PAyWOGoRT.exe61%ReversingLabsByteCode-MSIL.Trojan.Taskun
                  C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe0%ReversingLabs
                  SourceDetectionScannerLabelLinkDownload
                  3.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  https://0boQaB1sN6dM.org0%Avira URL Cloudsafe
                  http://mail.orogenicgroup-bd.com0%Avira URL Cloudsafe
                  http://JXqRNJ.com0%Avira URL Cloudsafe
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mail.orogenicgroup-bd.com
                  119.148.27.3
                  truefalse
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://www.apache.org/licenses/LICENSE-2.0PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.comPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designersGPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://sectigo.com/CPS0RegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422933643.0000000005D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.422762374.0000000005D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.577522128.0000000006045000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/?PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bThePURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers?PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://mail.orogenicgroup-bd.comRegSvcs.exe, 00000003.00000002.417544241.0000000002C7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574204192.0000000002E19000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwRegSvcs.exe, 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.tiro.comPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.goodfont.co.krPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comlPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/cThePURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://fontfabrik.comPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.founder.com.cn/cnPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/frere-user.htmlPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://DynDns.comDynDNSnamejidpasswordPsi/PsiRegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://JXqRNJ.comRegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleasePURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers8PURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.fonts.comPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.sandoll.co.krPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deDPleasePURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cnPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePURCHASE ORDER.exe, 00000000.00000002.341153865.0000000003251000.00000004.00000800.00020000.00000000.sdmp, PAyWOGoRT.exe, 00000004.00000002.405112701.0000000003001000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.sakkal.comPURCHASE ORDER.exe, 00000000.00000002.346776635.0000000007212000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://0boQaB1sN6dM.orgRegSvcs.exe, 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574175039.0000000002E13000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.574144305.0000000002E0F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs
                                          IPDomainCountryFlagASNASN NameMalicious
                                          119.148.27.3
                                          mail.orogenicgroup-bd.comBangladesh
                                          23923AGNI-ASAgniSystemsLimitedBDfalse
                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                          Analysis ID:755961
                                          Start date and time:2022-11-29 11:23:06 +01:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 8m 24s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:PURCHASE ORDER.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:18
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@18/9@2/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          TimeTypeDescription
                                          11:24:07API Interceptor1x Sleep call for process: PURCHASE ORDER.exe modified
                                          11:24:17Task SchedulerRun new task: PAyWOGoRT path: C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
                                          11:24:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                          11:24:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                          11:24:35API Interceptor447x Sleep call for process: RegSvcs.exe modified
                                          11:24:36API Interceptor1x Sleep call for process: PAyWOGoRT.exe modified
                                          No context
                                          No context
                                          No context
                                          No context
                                          No context
                                          Process:C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                          MD5:69206D3AF7D6EFD08F4B4726998856D3
                                          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                          Process:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                          MD5:69206D3AF7D6EFD08F4B4726998856D3
                                          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                          Process:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):142
                                          Entropy (8bit):5.090621108356562
                                          Encrypted:false
                                          SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                          MD5:8C0458BB9EA02D50565175E38D577E35
                                          SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                          SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                          SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                          Process:C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1642
                                          Entropy (8bit):5.177923914853658
                                          Encrypted:false
                                          SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGQBtn:cbhK79lNQR/rydbz9I3YODOLNdq31
                                          MD5:80E675E5B2A240D5A633F826B64E2CF7
                                          SHA1:A690D2C5FB99B392615E75E68CE86972910D28AE
                                          SHA-256:4F6FD6CEF34AAFE00144F440C2AE385364AB808F5B9FCEF4E7EB5105066B0302
                                          SHA-512:3DA27B4BBD5C37247809800B67C0EE0DB05272AE56674AF3CDEE6D95226A7C22E3341CB5200021559C6AAE9240AF3B6A5581333D7A92543D56DA679C32EFF8DD
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                          Process:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1642
                                          Entropy (8bit):5.177923914853658
                                          Encrypted:false
                                          SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGQBtn:cbhK79lNQR/rydbz9I3YODOLNdq31
                                          MD5:80E675E5B2A240D5A633F826B64E2CF7
                                          SHA1:A690D2C5FB99B392615E75E68CE86972910D28AE
                                          SHA-256:4F6FD6CEF34AAFE00144F440C2AE385364AB808F5B9FCEF4E7EB5105066B0302
                                          SHA-512:3DA27B4BBD5C37247809800B67C0EE0DB05272AE56674AF3CDEE6D95226A7C22E3341CB5200021559C6AAE9240AF3B6A5581333D7A92543D56DA679C32EFF8DD
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                          Process:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):600576
                                          Entropy (8bit):7.888370004294712
                                          Encrypted:false
                                          SSDEEP:12288:7gkzrbETClvHskFgFwIyXCD1vmAMDfJ0/IegnS1onhj6W4ytrRpMf:/76CVskFgqIyXFhS/ngSWhxROf
                                          MD5:A55B4BB09398659D69F1B8B37541E621
                                          SHA1:975F7C38780D00AE497FCB6ADDF31F5AD8CDB090
                                          SHA-256:EA45A2032EEBE69D32B15D3EA505330EB00B5026107E8E123FB9FB9E2BF87496
                                          SHA-512:A5EB89B7B07AD51B747BA5C003D50AE8AA53C11ADB23034DA977E8AB25373A81C3C7216CDA025C25A0D55F9CAB989F93794D2512FB16A8998DFA8D58C5210590
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 61%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.............................5... ...@....@.. ....................................@.................................x5..W....@..4....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`.......(..............@..B.................5......H............T......4........E..........................................z.(......}.....( ...o!...}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s".
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):45152
                                          Entropy (8bit):6.149629800481177
                                          Encrypted:false
                                          SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                          MD5:2867A3817C9245F7CF518524DFD18F28
                                          SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                          SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                          SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                          Process:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1141
                                          Entropy (8bit):4.44831826838854
                                          Encrypted:false
                                          SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                          MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                          SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                          SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                          SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                          Malicious:false
                                          Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c
                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.888370004294712
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:PURCHASE ORDER.exe
                                          File size:600576
                                          MD5:a55b4bb09398659d69f1b8b37541e621
                                          SHA1:975f7c38780d00ae497fcb6addf31f5ad8cdb090
                                          SHA256:ea45a2032eebe69d32b15d3ea505330eb00b5026107e8e123fb9fb9e2bf87496
                                          SHA512:a5eb89b7b07ad51b747ba5c003d50ae8aa53c11adb23034da977e8ab25373a81c3c7216cda025c25a0d55f9cab989f93794d2512fb16a8998dfa8d58c5210590
                                          SSDEEP:12288:7gkzrbETClvHskFgFwIyXCD1vmAMDfJ0/IegnS1onhj6W4ytrRpMf:/76CVskFgqIyXFhS/ngSWhxROf
                                          TLSH:98D4023C1B457F2BC27D88F595D24E017FF18D19A021EA1AACDE66D803C67781B90ED5
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.............................5... ...@....@.. ....................................@................................
                                          Icon Hash:0969696949097961
                                          Entrypoint:0x4935d2
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x63841E09 [Mon Nov 28 02:33:45 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x935780x57.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x940000xf34.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x915d80x91600False0.8968941449914015data7.897447602261709IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x940000xf340x1000False0.674072265625data6.343221929180967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x960000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x941180xa75PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                          RT_GROUP_ICON0x94b900x14data
                                          RT_GROUP_ICON0x94ba40x14data
                                          RT_VERSION0x94bb80x37cdata
                                          DLLImport
                                          mscoree.dll_CorExeMain
                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 29, 2022 11:24:36.287166119 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:36.589534998 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:36.589658976 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:38.225836039 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:38.226146936 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:38.523627043 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:38.523865938 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:38.826832056 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:38.889180899 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:39.213813066 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:39.213850975 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:39.213881016 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:39.213903904 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:39.213943005 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:39.213980913 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:39.217195988 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:39.264162064 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:39.562028885 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:39.623230934 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:39.920614004 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:39.944987059 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:40.242274046 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:40.251883984 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:40.587641954 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:40.821350098 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:40.822257996 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:41.119117975 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:41.119190931 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:41.119870901 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:41.424794912 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:41.425214052 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:41.724648952 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:41.726552963 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:41.730971098 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:41.731875896 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:41.731961966 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:42.029700041 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:42.035222054 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:42.035703897 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:42.035804033 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:42.120207071 CET58749695119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:24:42.164433956 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:24:57.036175013 CET49695587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:15.563796043 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:15.861283064 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:15.861886024 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:17.602075100 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:17.602732897 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:17.901496887 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:17.902745962 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:18.200984001 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:18.215336084 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:18.529184103 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:18.529251099 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:18.529294968 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:18.529333115 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:18.529411077 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:18.529882908 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:18.531244040 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:18.541455984 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:18.841746092 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:18.886261940 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:18.943299055 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:19.239828110 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:19.242074013 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:19.538795948 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:19.540328979 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:19.875647068 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:19.899672031 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:19.900697947 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:20.196681023 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:20.196717978 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:20.197648048 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:20.502088070 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:20.502681017 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:20.798707008 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:20.803905010 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:20.804018974 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:20.804094076 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:20.804167986 CET49696587192.168.2.4119.148.27.3
                                          Nov 29, 2022 11:25:21.100074053 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:21.100131035 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:21.101542950 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:21.140907049 CET58749696119.148.27.3192.168.2.4
                                          Nov 29, 2022 11:25:21.183245897 CET49696587192.168.2.4119.148.27.3
                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 29, 2022 11:24:36.029767036 CET5657253192.168.2.48.8.8.8
                                          Nov 29, 2022 11:24:36.203140020 CET53565728.8.8.8192.168.2.4
                                          Nov 29, 2022 11:25:15.366661072 CET5091153192.168.2.48.8.8.8
                                          Nov 29, 2022 11:25:15.530844927 CET53509118.8.8.8192.168.2.4
                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Nov 29, 2022 11:24:36.029767036 CET192.168.2.48.8.8.80x2672Standard query (0)mail.orogenicgroup-bd.comA (IP address)IN (0x0001)false
                                          Nov 29, 2022 11:25:15.366661072 CET192.168.2.48.8.8.80x3968Standard query (0)mail.orogenicgroup-bd.comA (IP address)IN (0x0001)false
                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Nov 29, 2022 11:24:36.203140020 CET8.8.8.8192.168.2.40x2672No error (0)mail.orogenicgroup-bd.com119.148.27.3A (IP address)IN (0x0001)false
                                          Nov 29, 2022 11:25:15.530844927 CET8.8.8.8192.168.2.40x3968No error (0)mail.orogenicgroup-bd.com119.148.27.3A (IP address)IN (0x0001)false
                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Nov 29, 2022 11:24:38.225836039 CET58749695119.148.27.3192.168.2.4220-panel2.agni.com ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 16:24:38 +0600
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Nov 29, 2022 11:24:38.226146936 CET49695587192.168.2.4119.148.27.3EHLO 549163
                                          Nov 29, 2022 11:24:38.523627043 CET58749695119.148.27.3192.168.2.4250-panel2.agni.com Hello 549163 [102.129.143.49]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPE_CONNECT
                                          250-STARTTLS
                                          250 HELP
                                          Nov 29, 2022 11:24:38.523865938 CET49695587192.168.2.4119.148.27.3STARTTLS
                                          Nov 29, 2022 11:24:38.826832056 CET58749695119.148.27.3192.168.2.4220 TLS go ahead
                                          Nov 29, 2022 11:25:17.602075100 CET58749696119.148.27.3192.168.2.4220-panel2.agni.com ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 16:25:17 +0600
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          Nov 29, 2022 11:25:17.602732897 CET49696587192.168.2.4119.148.27.3EHLO 549163
                                          Nov 29, 2022 11:25:17.901496887 CET58749696119.148.27.3192.168.2.4250-panel2.agni.com Hello 549163 [102.129.143.49]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPE_CONNECT
                                          250-STARTTLS
                                          250 HELP
                                          Nov 29, 2022 11:25:17.902745962 CET49696587192.168.2.4119.148.27.3STARTTLS
                                          Nov 29, 2022 11:25:18.200984001 CET58749696119.148.27.3192.168.2.4220 TLS go ahead

                                          Click to jump to process

                                          Target ID:0
                                          Start time:11:23:57
                                          Start date:29/11/2022
                                          Path:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\PURCHASE ORDER.exe
                                          Imagebase:0xc10000
                                          File size:600576 bytes
                                          MD5 hash:A55B4BB09398659D69F1B8B37541E621
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.341336847.0000000003297000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.342927901.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low

                                          Target ID:1
                                          Start time:11:24:14
                                          Start date:29/11/2022
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmpF89B.tmp
                                          Imagebase:0x2f0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Target ID:2
                                          Start time:11:24:15
                                          Start date:29/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7c72c0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Target ID:3
                                          Start time:11:24:15
                                          Start date:29/11/2022
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x610000
                                          File size:45152 bytes
                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000003.00000000.337559814.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.412448960.00000000028F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high

                                          Target ID:4
                                          Start time:11:24:17
                                          Start date:29/11/2022
                                          Path:C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\PAyWOGoRT.exe
                                          Imagebase:0xb40000
                                          File size:600576 bytes
                                          MD5 hash:A55B4BB09398659D69F1B8B37541E621
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 61%, ReversingLabs
                                          Reputation:low

                                          Target ID:5
                                          Start time:11:24:31
                                          Start date:29/11/2022
                                          Path:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                                          Imagebase:0x900000
                                          File size:45152 bytes
                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Antivirus matches:
                                          • Detection: 0%, ReversingLabs
                                          Reputation:high

                                          Target ID:6
                                          Start time:11:24:32
                                          Start date:29/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7c72c0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Target ID:7
                                          Start time:11:24:40
                                          Start date:29/11/2022
                                          Path:C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
                                          Imagebase:0x5c0000
                                          File size:45152 bytes
                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          Target ID:8
                                          Start time:11:24:41
                                          Start date:29/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7c72c0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Target ID:9
                                          Start time:11:24:43
                                          Start date:29/11/2022
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PAyWOGoRT" /XML "C:\Users\user\AppData\Local\Temp\tmp6AED.tmp
                                          Imagebase:0x2f0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Target ID:10
                                          Start time:11:24:43
                                          Start date:29/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7c72c0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Target ID:11
                                          Start time:11:24:44
                                          Start date:29/11/2022
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):false
                                          Commandline:{path}
                                          Imagebase:0x1b0000
                                          File size:45152 bytes
                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language

                                          Target ID:12
                                          Start time:11:24:44
                                          Start date:29/11/2022
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x640000
                                          File size:45152 bytes
                                          MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.570378772.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                          No disassembly