Windows Analysis Report
PURCHASE ORDER # 12076038 & 12076022.exe

Overview

General Information

Sample Name: PURCHASE ORDER # 12076038 & 12076022.exe
Analysis ID: 756258
MD5: 152c62372d3ea07d023e1e187766fd4b
SHA1: 32b630bc22b63d7eee42851175ebe43a13a92c15
SHA256: b3e12ecdee9eacc7354a7d43ccd3ebe7e6db207e93f73b7a847ff4bee9f27f86
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PURCHASE ORDER # 12076038 & 12076022.exe ReversingLabs: Detection: 57%
Source: PURCHASE ORDER # 12076038 & 12076022.exe Virustotal: Detection: 39% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe ReversingLabs: Detection: 57%
Machine Learning detection for sample
Source: PURCHASE ORDER # 12076038 & 12076022.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.45619a0.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.dmstech.in", "Username": "sanjeev@dmstech.in", "Password": "0]6F9Az.pqfd"}
Uses 32bit PE files
Source: PURCHASE ORDER # 12076038 & 12076022.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: PURCHASE ORDER # 12076038 & 12076022.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: upNPDPF.pdb source: PURCHASE ORDER # 12076038 & 12076022.exe, WytzFSULZWRc.exe.0.dr
Source: Binary string: RegSvcs.pdb, source: zBwkauB.exe, 0000000E.00000000.311265436.00000000003B2000.00000002.00000001.01000000.0000000B.sdmp, zBwkauB.exe.3.dr
Source: Binary string: RegSvcs.pdb source: zBwkauB.exe, 0000000E.00000000.311265436.00000000003B2000.00000002.00000001.01000000.0000000B.sdmp, zBwkauB.exe.3.dr

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49705 -> 208.91.199.89:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49705 -> 208.91.199.89:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49705 -> 208.91.199.89:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49705 -> 208.91.199.89:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49706 -> 208.91.199.89:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49706 -> 208.91.199.89:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49706 -> 208.91.199.89:587
Source: Traffic Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49706 -> 208.91.199.89:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.89 208.91.199.89
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49705 -> 208.91.199.89:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49705 -> 208.91.199.89:587
Source: RegSvcs.exe, 00000003.00000002.361131528.0000000003051000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.514436513.000000000332C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000015.00000002.514436513.000000000332C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 00000003.00000002.366864567.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.520096733.00000000036EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://dmstech.in
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000003.241071729.0000000001B1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000003.00000002.366864567.00000000033DB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.520096733.00000000036EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.dmstech.in
Source: RegSvcs.exe, 00000003.00000003.320266236.0000000006602000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://microsoft.coY
Source: RegSvcs.exe, 00000015.00000002.514436513.000000000332C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sWLumX.com
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.279939033.0000000003491000.00000004.00000800.00020000.00000000.sdmp, WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.289112556.0000000007492000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegSvcs.exe, 00000015.00000002.520096733.00000000036EF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.520049418.00000000036E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://3NOOLBR7kS.org
Source: RegSvcs.exe, 00000003.00000002.361131528.0000000003051000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000015.00000002.514436513.000000000332C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: mail.dmstech.in
Creates a DirectInput object (often for capturing keystrokes)
Source: WytzFSULZWRc.exe, 00000004.00000002.352489462.000000000150A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.45619a0.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.45619a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.45619a0.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.45619a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 4.2.WytzFSULZWRc.exe.330ba34.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.35aba94.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.47ce798.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.47ce798.3.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.47ce798.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.47ce798.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000000.277620591.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000004.00000002.367091202.000000000452E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.283195697.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.285809118.0000000004780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: PURCHASE ORDER # 12076038 & 12076022.exe PID: 6092, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4700, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: WytzFSULZWRc.exe PID: 2336, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PURCHASE ORDER # 12076038 & 12076022.exe
.NET source code contains very large array initializations
Source: 3.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b504BEB59u002dACF3u002d46CAu002d9AC1u002dB8B3046B6B1Bu007d/u00367B27B58u002d50FFu002d4529u002dB63Bu002d7EF9B8C34D9D.cs Large array initialization: .cctor: array initializer size 10951
Uses 32bit PE files
Source: PURCHASE ORDER # 12076038 & 12076022.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.45619a0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.45619a0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.45619a0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.45619a0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 4.2.WytzFSULZWRc.exe.330ba34.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.35aba94.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.47ce798.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.47ce798.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.47ce798.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.PURCHASE ORDER # 12076038 & 12076022.exe.47ce798.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000000.277620591.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000004.00000002.367091202.000000000452E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.283195697.0000000004499000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.285809118.0000000004780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: PURCHASE ORDER # 12076038 & 12076022.exe PID: 6092, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 4700, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: WytzFSULZWRc.exe PID: 2336, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Code function: 0_2_01B0C68C 0_2_01B0C68C
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Code function: 0_2_01B0E918 0_2_01B0E918
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Code function: 0_2_01B0E908 0_2_01B0E908
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Code function: 0_2_058DB721 0_2_058DB721
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Code function: 0_2_058DB730 0_2_058DB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_02FCF760 3_2_02FCF760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_02FCFAA8 3_2_02FCFAA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_02FC6960 3_2_02FC6960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05B9C530 3_2_05B9C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05B90548 3_2_05B90548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05B92638 3_2_05B92638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05B9A060 3_2_05B9A060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05B9D290 3_2_05B9D290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061FB228 3_2_061FB228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F60D0 3_2_061F60D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061FEE38 3_2_061FEE38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F8EE0 3_2_061F8EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F7870 3_2_061F7870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061FC478 3_2_061FC478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061FB21A 3_2_061FB21A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F0040 3_2_061F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061FBEBF 3_2_061FBEBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F1F88 3_2_061F1F88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_067A5858 3_2_067A5858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_067AA8B8 3_2_067AA8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_067A01D3 3_2_067A01D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_067ABE48 3_2_067ABE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_067A6EBA 3_2_067A6EBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_067A5E80 3_2_067A5E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_067A6F68 3_2_067A6F68
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 05B96F60 appears 52 times
Sample file is different than original file name gathered from version info
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000000.237891678.0000000000F22000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameupNPDPF.exeH vs PURCHASE ORDER # 12076038 & 12076022.exe
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.283195697.0000000004499000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename07a44b5d-0712-4fdd-ae1b-2273e47c03d4.exe4 vs PURCHASE ORDER # 12076038 & 12076022.exe
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.293012061.0000000007CB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER # 12076038 & 12076022.exe
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.285809118.0000000004780000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameupNPDPF.exeH vs PURCHASE ORDER # 12076038 & 12076022.exe
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.284178790.00000000045BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs PURCHASE ORDER # 12076038 & 12076022.exe
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.279939033.0000000003491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCassa.dll< vs PURCHASE ORDER # 12076038 & 12076022.exe
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.279939033.0000000003491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename07a44b5d-0712-4fdd-ae1b-2273e47c03d4.exe4 vs PURCHASE ORDER # 12076038 & 12076022.exe
Source: PURCHASE ORDER # 12076038 & 12076022.exe Binary or memory string: OriginalFilenameupNPDPF.exeH vs PURCHASE ORDER # 12076038 & 12076022.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
Source: PURCHASE ORDER # 12076038 & 12076022.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WytzFSULZWRc.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PURCHASE ORDER # 12076038 & 12076022.exe ReversingLabs: Detection: 57%
Source: PURCHASE ORDER # 12076038 & 12076022.exe Virustotal: Detection: 39%
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File read: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Jump to behavior
Source: PURCHASE ORDER # 12076038 & 12076022.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WytzFSULZWRc" /XML "C:\Users\user\AppData\Local\Temp\tmp778D.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe "C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe"
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe "C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe"
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WytzFSULZWRc" /XML "C:\Users\user\AppData\Local\Temp\tmpF325.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WytzFSULZWRc" /XML "C:\Users\user\AppData\Local\Temp\tmp778D.tmp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WytzFSULZWRc" /XML "C:\Users\user\AppData\Local\Temp\tmpF325.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File created: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File created: C:\Users\user\AppData\Local\Temp\tmp778D.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@18/9@4/2
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: PURCHASE ORDER # 12076038 & 12076022.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2240:120:WilError_01
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Mutant created: \Sessions\1\BaseNamedObjects\NwyRyspTcDNYreUnejXNFB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_01
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs Cryptographic APIs: 'CreateDecryptor'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs Cryptographic APIs: 'CreateDecryptor'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs Cryptographic APIs: 'CreateDecryptor'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PURCHASE ORDER # 12076038 & 12076022.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PURCHASE ORDER # 12076038 & 12076022.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: PURCHASE ORDER # 12076038 & 12076022.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: upNPDPF.pdb source: PURCHASE ORDER # 12076038 & 12076022.exe, WytzFSULZWRc.exe.0.dr
Source: Binary string: RegSvcs.pdb, source: zBwkauB.exe, 0000000E.00000000.311265436.00000000003B2000.00000002.00000001.01000000.0000000B.sdmp, zBwkauB.exe.3.dr
Source: Binary string: RegSvcs.pdb source: zBwkauB.exe, 0000000E.00000000.311265436.00000000003B2000.00000002.00000001.01000000.0000000B.sdmp, zBwkauB.exe.3.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/ugy3qyJa0hsIhE8prU.cs .Net Code: dV592oReGS System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/ugy3qyJa0hsIhE8prU.cs .Net Code: dV592oReGS System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/ugy3qyJa0hsIhE8prU.cs .Net Code: dV592oReGS System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_02FC67A0 push 08418B05h; ret 3_2_02FC67B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_05B9C472 push es; ret 3_2_05B9C480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F44FD push es; retf 3_2_061F4548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F4549 push es; retf 3_2_061F4594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F3590 push es; retf 3_2_061F44FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F0040 push es; iretd 3_2_061F0EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F4141 push es; retf 3_2_061F44FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F6D88 push es; iretd 3_2_061F6F4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_061F8BD0 push es; ret 3_2_061F8BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_067AF320 push 90061ECCh; retf 3_2_067AF375
Source: initial sample Static PE information: section name: .text entropy: 7.509653314187712
Source: initial sample Static PE information: section name: .text entropy: 7.509653314187712
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs High entropy of concatenated method names: '.cctor', 'Hv7aJisxkSXT2', 'IbFKUwh7eQ', 'zmPKhgUsvr', 'vC6Kom7A2Z', 'WEsKAyJur1', 'mA2KOqXGJt', 'DxrK0lS3wu', 'MPtKEdqErM', 'R8hKx5Bqn0'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/Q6qGrMWpsJtFfdBU1i.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'LAHlNOK6u5', 'anboti67UZ', 'FwToUoAPC4', 'UHloebKQto', 'updoDiWdjM', 'VCgoCOHBw5', 'mUcoYnbQwI', 'FryojCwoRm'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/RnXpZdQtwQpMhw9iMl.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'Vtv9NMP3mZ', 'hUKo79qtHJ', 'xDpoasYMrD', 'FXEolApcGL', 'AVuoRBtOEK', 'iIboAaOaaU', 'RmsoK51O2J', 'AQEo8Dbbi3'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/CldwuoRdykqqYjFEFj.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'gC1ltSHwcn', 'UHloebKQto', 'updoDiWdjM', 'anboti67UZ', 'FwToUoAPC4', 'VCgoCOHBw5', 'mUcoYnbQwI', 'FryojCwoRm'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/X69VBSAYxwQs2Ac2mA.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'OdBQgpLHWt', 'hUKo79qtHJ', 'xDpoasYMrD', 'KI2geD0ZIv', 'XuDgDoYeAy', 'cjegjtCqe8', 'uJeg2v9tJP', 'hR5gBgqgGq'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/Q4EvWR9NJyhZOqWWHA.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'n4mFkxTwaj', 'UHloebKQto', 'updoDiWdjM', 'vHRbAnAgYX', 'eV7bKPA6ON', 'NFybbRclS9', 'ECsbZOfkho', 'GEtbokZEBh'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/fW6lUreU3immxdBQSS.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'iBRFEbGuV2', 'anboti67UZ', 'FwToUoAPC4', 'R8VgcEIxNI', 'bEbgpS0Dgj', 'DY0b1KMDbh', 'HaBbMKiuXZ', 'pN3gtXTTf4'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/yIRg8DskOKIX5TsYJa.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'iPpQEZFHyT', 'anboti67UZ', 'FwToUoAPC4', 'VCgoCOHBw5', 'mUcoYnbQwI', 'FryojCwoRm', 'gdpo2SBQmv', 'eIqokm3G5A'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/TKr659h2OpVFvWFlxm.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'e47B60WEc', 'mL46IQn8hb', 'eQx6OkW4Oe', 'l4m69XsGV2', 'gh76WpgUbW', 'Sxi6VW9XyJ', 'B1U6QCWTV2', 'Bcr60U3LED'
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/ugy3qyJa0hsIhE8prU.cs High entropy of concatenated method names: '.ctor', 'K6E99yODGT', 'llg9lUjqB9', 'Ka59QDxSQv', 'vn99Fch9rF', 'cpb9KvHt89', 'DfM9b3oVdb', 'T0A96PRGAr', 'Dispose', 'c0Q9Z9iGa5'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs High entropy of concatenated method names: '.cctor', 'Hv7aJisxkSXT2', 'IbFKUwh7eQ', 'zmPKhgUsvr', 'vC6Kom7A2Z', 'WEsKAyJur1', 'mA2KOqXGJt', 'DxrK0lS3wu', 'MPtKEdqErM', 'R8hKx5Bqn0'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/RnXpZdQtwQpMhw9iMl.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'Vtv9NMP3mZ', 'hUKo79qtHJ', 'xDpoasYMrD', 'FXEolApcGL', 'AVuoRBtOEK', 'iIboAaOaaU', 'RmsoK51O2J', 'AQEo8Dbbi3'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/Q6qGrMWpsJtFfdBU1i.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'LAHlNOK6u5', 'anboti67UZ', 'FwToUoAPC4', 'UHloebKQto', 'updoDiWdjM', 'VCgoCOHBw5', 'mUcoYnbQwI', 'FryojCwoRm'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/CldwuoRdykqqYjFEFj.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'gC1ltSHwcn', 'UHloebKQto', 'updoDiWdjM', 'anboti67UZ', 'FwToUoAPC4', 'VCgoCOHBw5', 'mUcoYnbQwI', 'FryojCwoRm'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/X69VBSAYxwQs2Ac2mA.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'OdBQgpLHWt', 'hUKo79qtHJ', 'xDpoasYMrD', 'KI2geD0ZIv', 'XuDgDoYeAy', 'cjegjtCqe8', 'uJeg2v9tJP', 'hR5gBgqgGq'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/TKr659h2OpVFvWFlxm.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'e47B60WEc', 'mL46IQn8hb', 'eQx6OkW4Oe', 'l4m69XsGV2', 'gh76WpgUbW', 'Sxi6VW9XyJ', 'B1U6QCWTV2', 'Bcr60U3LED'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/Q4EvWR9NJyhZOqWWHA.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'n4mFkxTwaj', 'UHloebKQto', 'updoDiWdjM', 'vHRbAnAgYX', 'eV7bKPA6ON', 'NFybbRclS9', 'ECsbZOfkho', 'GEtbokZEBh'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/ugy3qyJa0hsIhE8prU.cs High entropy of concatenated method names: '.ctor', 'K6E99yODGT', 'llg9lUjqB9', 'Ka59QDxSQv', 'vn99Fch9rF', 'cpb9KvHt89', 'DfM9b3oVdb', 'T0A96PRGAr', 'Dispose', 'c0Q9Z9iGa5'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/fW6lUreU3immxdBQSS.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'iBRFEbGuV2', 'anboti67UZ', 'FwToUoAPC4', 'R8VgcEIxNI', 'bEbgpS0Dgj', 'DY0b1KMDbh', 'HaBbMKiuXZ', 'pN3gtXTTf4'
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/yIRg8DskOKIX5TsYJa.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'iPpQEZFHyT', 'anboti67UZ', 'FwToUoAPC4', 'VCgoCOHBw5', 'mUcoYnbQwI', 'FryojCwoRm', 'gdpo2SBQmv', 'eIqokm3G5A'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs High entropy of concatenated method names: '.cctor', 'Hv7aJisxkSXT2', 'IbFKUwh7eQ', 'zmPKhgUsvr', 'vC6Kom7A2Z', 'WEsKAyJur1', 'mA2KOqXGJt', 'DxrK0lS3wu', 'MPtKEdqErM', 'R8hKx5Bqn0'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/RnXpZdQtwQpMhw9iMl.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'Vtv9NMP3mZ', 'hUKo79qtHJ', 'xDpoasYMrD', 'FXEolApcGL', 'AVuoRBtOEK', 'iIboAaOaaU', 'RmsoK51O2J', 'AQEo8Dbbi3'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/Q6qGrMWpsJtFfdBU1i.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'LAHlNOK6u5', 'anboti67UZ', 'FwToUoAPC4', 'UHloebKQto', 'updoDiWdjM', 'VCgoCOHBw5', 'mUcoYnbQwI', 'FryojCwoRm'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/CldwuoRdykqqYjFEFj.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'gC1ltSHwcn', 'UHloebKQto', 'updoDiWdjM', 'anboti67UZ', 'FwToUoAPC4', 'VCgoCOHBw5', 'mUcoYnbQwI', 'FryojCwoRm'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/X69VBSAYxwQs2Ac2mA.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'OdBQgpLHWt', 'hUKo79qtHJ', 'xDpoasYMrD', 'KI2geD0ZIv', 'XuDgDoYeAy', 'cjegjtCqe8', 'uJeg2v9tJP', 'hR5gBgqgGq'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/Q4EvWR9NJyhZOqWWHA.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'n4mFkxTwaj', 'UHloebKQto', 'updoDiWdjM', 'vHRbAnAgYX', 'eV7bKPA6ON', 'NFybbRclS9', 'ECsbZOfkho', 'GEtbokZEBh'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/TKr659h2OpVFvWFlxm.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'e47B60WEc', 'mL46IQn8hb', 'eQx6OkW4Oe', 'l4m69XsGV2', 'gh76WpgUbW', 'Sxi6VW9XyJ', 'B1U6QCWTV2', 'Bcr60U3LED'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/yIRg8DskOKIX5TsYJa.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'iPpQEZFHyT', 'anboti67UZ', 'FwToUoAPC4', 'VCgoCOHBw5', 'mUcoYnbQwI', 'FryojCwoRm', 'gdpo2SBQmv', 'eIqokm3G5A'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/ugy3qyJa0hsIhE8prU.cs High entropy of concatenated method names: '.ctor', 'K6E99yODGT', 'llg9lUjqB9', 'Ka59QDxSQv', 'vn99Fch9rF', 'cpb9KvHt89', 'DfM9b3oVdb', 'T0A96PRGAr', 'Dispose', 'c0Q9Z9iGa5'
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/fW6lUreU3immxdBQSS.cs High entropy of concatenated method names: '.ctor', 'Dispose', 'iBRFEbGuV2', 'anboti67UZ', 'FwToUoAPC4', 'R8VgcEIxNI', 'bEbgpS0Dgj', 'DY0b1KMDbh', 'HaBbMKiuXZ', 'pN3gtXTTf4'
Creates processes with suspicious names
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File created: \purchase order # 12076038 & 12076022.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File created: \purchase order # 12076038 & 12076022.exe
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File created: \purchase order # 12076038 & 12076022.exe Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File created: \purchase order # 12076038 & 12076022.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe File created: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WytzFSULZWRc" /XML "C:\Users\user\AppData\Local\Temp\tmp778D.tmp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zBwkauB Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zBwkauB Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: PURCHASE ORDER # 12076038 & 12076022.exe PID: 6092, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.279939033.0000000003491000.00000004.00000800.00020000.00000000.sdmp, WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PURCHASE ORDER # 12076038 & 12076022.exe, 00000000.00000002.279939033.0000000003491000.00000004.00000800.00020000.00000000.sdmp, WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe TID: 6052 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe TID: 3516 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe TID: 3080 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe TID: 3796 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 9808 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 9713
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99655 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99327 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99216 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99106 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98997 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98888 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98780 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98559 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98341 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97905 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97796 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97577 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97468 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\zBwkauB\zBwkauB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99062
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98841
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98212
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98109
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97993
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97890
Source: WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000003.00000002.358978578.0000000001278000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:
Source: WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: WytzFSULZWRc.exe, 00000004.00000002.352688516.0000000001540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WytzFSULZWRc.exe, 00000004.00000002.354685884.00000000031F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000015.00000003.415359624.00000000067AD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_067A8D28 LdrInitializeThunk, 3_2_067A8D28
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F98008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1030008 Jump to behavior
.NET source code references suspicious native API functions
Source: PURCHASE ORDER # 12076038 & 12076022.exe, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs Reference to suspicious API methods: ('ceVK8Vd1G9', 'GetProcAddress@kernel32'), ('EO2KGTO024', 'LoadLibrary@kernel32')
Source: WytzFSULZWRc.exe.0.dr, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs Reference to suspicious API methods: ('ceVK8Vd1G9', 'GetProcAddress@kernel32'), ('EO2KGTO024', 'LoadLibrary@kernel32')
Source: 0.0.PURCHASE ORDER # 12076038 & 12076022.exe.f20000.0.unpack, jVvIi9fq9MfQaRHsIU/ayQGj2bHV7w9MNffvt.cs Reference to suspicious API methods: ('ceVK8Vd1G9', 'GetProcAddress@kernel32'), ('EO2KGTO024', 'LoadLibrary@kernel32')
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/C1.cs Reference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
Source: 3.0.RegSvcs.exe.400000.0.unpack, A/e2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WytzFSULZWRc" /XML "C:\Users\user\AppData\Local\Temp\tmp778D.tmp Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WytzFSULZWRc" /XML "C:\Users\user\AppData\Local\Temp\tmpF325.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\WytzFSULZWRc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PURCHASE ORDER # 12076038 & 12076022.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation