Windows Analysis Report ADJUSTED PO3917NOV.exe

Overview

General Information

Sample Name: ADJUSTED PO3917NOV.exe
Analysis ID: 514608
MD5: ec46f95f234b89325e198104d1887b1c
SHA1: d0600cdb17f86f31eff130d029a87717fde2cc7a
SHA256: 01bbef21bea94b6ec60c739df3e40e887cf0ea1df7ba2f1678ce708ba10a6203
Tags: exewarzonerat
Infos:

Most interesting Screenshot:

Detection

AveMaria UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AntiVM3
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "185.222.57.253", "port": 4782}
Multi AV Scanner detection for submitted file
Source: ADJUSTED PO3917NOV.exe ReversingLabs: Detection: 31%
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe ReversingLabs: Detection: 28%
Antivirus or Machine Learning detection for unpacked file
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack Avira: Label: TR/Redcap.ghjpt
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack Avira: Label: TR/Redcap.ghjpt

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040CAFC CryptUnprotectData,LocalAlloc,LocalFree, 4_2_0040CAFC
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 4_2_0040CC54
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 4_2_0040CCB4
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040A6C8 GetBinaryTypeW,CopyFileW,CryptReleaseContext,PathFileExistsW,GetPrivateProfileStringW, 4_2_0040A6C8
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040B15E lstrlenA,CryptStringToBinaryA,lstrcpyA, 4_2_0040B15E
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 4_2_0040A632

Exploits:

barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 1328, type: MEMORYSTR

Compliance:

barindex
Uses 32bit PE files
Source: ADJUSTED PO3917NOV.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: ADJUSTED PO3917NOV.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe, 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 4_2_0041002B
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 4_2_00409DF6

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.222.57.253
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49741 -> 185.222.57.253:4782
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.290529303.0000000005D26000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292156707.0000000005D27000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.292198894.0000000005D27000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com.TTF
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersB
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com;
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.296259109.0000000005D2E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comM.TTF
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comceva
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comde
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.297131061.0000000005D2C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdl
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comitudl
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comivaI
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291797697.0000000005D27000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn#
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnpor
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291687095.0000000005D27000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnr(
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/I
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Stan
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/dz
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com#
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comB
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comeL
Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comt
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: ADJUSTED PO3917NOV.exe String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040562F setsockopt,recv,recv, 4_2_0040562F
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.57.253

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_004089D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx, 4_2_004089D5
Installs a raw input device (often for capturing keystrokes)
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 0_2_0121CE74 0_2_0121CE74
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 0_2_0121F2D0 0_2_0121F2D0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046A42D0 4_3_046A42D0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046D6B50 4_3_046D6B50
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_04696C00 4_3_04696C00
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_0469BCD0 4_3_0469BCD0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046A04D0 4_3_046A04D0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_04696D30 4_3_04696D30
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_04691D30 4_3_04691D30
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_04694660 4_3_04694660
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046A7E70 4_3_046A7E70
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046A56B0 4_3_046A56B0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046A8720 4_3_046A8720
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046A9730 4_3_046A9730
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046A6010 4_3_046A6010
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046ED960 4_3_046ED960
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046AD920 4_3_046AD920
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046EB910 4_3_046EB910
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B11E0 4_3_046B11E0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046AC9C0 4_3_046AC9C0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_04695AB0 4_3_04695AB0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046A5B40 4_3_046A5B40
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046A2350 4_3_046A2350
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046EEB80 4_3_046EEB80
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00411BF8 4_2_00411BF8
PE file contains strange resources
Source: ADJUSTED PO3917NOV.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: QUQovKcaZRcNZ.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Uses 32bit PE files
Source: ADJUSTED PO3917NOV.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: String function: 004035E5 appears 39 times
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: String function: 00410969 appears 41 times
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: String function: 046958A0 appears 98 times
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: String function: 046962B0 appears 50 times
Sample file is different than original file name gathered from version info
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.325288855.0000000000A54000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEn.exeb! vs ADJUSTED PO3917NOV.exe
Source: ADJUSTED PO3917NOV.exe, 00000004.00000000.318645839.0000000001034000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEn.exeb! vs ADJUSTED PO3917NOV.exe
Source: ADJUSTED PO3917NOV.exe Binary or memory string: OriginalFilenameEn.exeb! vs ADJUSTED PO3917NOV.exe
Source: ADJUSTED PO3917NOV.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe File created: C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@6/6@0/1
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_04698C40 GetLastError,GetVersionExW,FormatMessageW,FormatMessageA,_free,LocalFree,_free, 4_3_04698C40
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 4_2_0040D49C
Source: ADJUSTED PO3917NOV.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_004130B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA, 4_2_004130B3
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: ADJUSTED PO3917NOV.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe File read: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe "C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe"
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 4_2_0040F619
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe File created: C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040F80E CoInitializeSecurity,CoInitialize,CoCreateInstance,VariantInit, 4_2_0040F80E
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046994E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free, 4_3_046994E0
Source: ADJUSTED PO3917NOV.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: ADJUSTED PO3917NOV.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.556535159.0000000004470000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: ADJUSTED PO3917NOV.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: ADJUSTED PO3917NOV.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: ADJUSTED PO3917NOV.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: ADJUSTED PO3917NOV.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_004120B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 4_2_004120B8
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_01
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Mutant created: \Sessions\1\BaseNamedObjects\GjVhIQZsqPgi
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: ADJUSTED PO3917NOV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: ADJUSTED PO3917NOV.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe
Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe, 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: ADJUSTED PO3917NOV.exe, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: QUQovKcaZRcNZ.exe.0.dr, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ADJUSTED PO3917NOV.exe.990000.0.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.ADJUSTED PO3917NOV.exe.990000.0.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.2.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.17.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.20.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.7.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.23.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.14.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.5.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.11.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.1.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.9.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.0.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.3.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.ADJUSTED PO3917NOV.exe.f70000.2.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs .Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 0_2_00994A25 push ss; ret 0_2_00994A29
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046F8D05 push ecx; ret 4_3_046F8D18
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00401190 push eax; ret 4_2_004011A4
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00401190 push eax; ret 4_2_004011CC
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_004144B1 push ebp; retf 4_2_00414564
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00414550 push ebp; retf 4_2_00414564
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046F981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 4_3_046F981B

Persistence and Installation Behavior:

barindex
Contains functionality to create new users
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040D418 NetUserAdd,NetLocalGroupAddMembers, 4_2_0040D418
Drops PE files
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe File created: C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe Jump to dropped file
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 4_2_0040AC0A
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040A6C8 GetBinaryTypeW,CopyFileW,CryptReleaseContext,PathFileExistsW,GetPrivateProfileStringW, 4_2_0040A6C8

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 4_2_0040D508

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe File opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to hide user accounts
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: ADJUSTED PO3917NOV.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: ADJUSTED PO3917NOV.exe, 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.2f1db8c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe TID: 5068 Thread sleep time: -32523s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe TID: 4068 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe TID: 4724 Thread sleep count: 60 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 4_2_0040DA5B
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046997E0 GetSystemTime followed by cmp: cmp edx, 04h and CTI: jc 0469983Bh 4_3_046997E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Thread delayed: delay time: 32523 Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 4_2_0041002B
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_04699970 GetSystemInfo, 4_3_04699970
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 4_2_00409DF6

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046F981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 4_3_046F981B
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0041094E mov eax, dword ptr fs:[00000030h] 4_2_0041094E
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00419172 mov eax, dword ptr fs:[00000030h] 4_2_00419172
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00410619 mov eax, dword ptr fs:[00000030h] 4_2_00410619
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00410620 mov eax, dword ptr fs:[00000030h] 4_2_00410620
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046F5FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_3_046F5FCC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_00401085 GetProcessHeap,RtlAllocateHeap, 4_2_00401085
Enables debug privileges
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046F5FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_3_046F5FCC
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046F723B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_3_046F723B

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_004079E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 4_2_004079E8
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 4_2_004120B8
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Process created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid, 4_2_0040F56D
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_004118BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError, 4_2_004118BA
Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_2_0040F93F cpuid 4_2_0040F93F
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046997E0 GetSystemTime,GetCurrentProcessId,GetTickCount,QueryPerformanceCounter, 4_3_046997E0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046F73C6 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 4_3_046F73C6
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046994E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free, 4_3_046994E0

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Contains functionality to steal e-mail passwords
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: POP3 Password 4_2_0040A29A
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: SMTP Password 4_2_0040A29A
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: IMAP Password 4_2_0040A29A
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: \Google\Chrome\User Data\Default\Login Data 4_2_0040C1B2
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: \Chromium\User Data\Default\Login Data 4_2_0040C1B2
Yara detected Credential Stealer
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 1328, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4C40 sqlite3_bind_int64, 4_3_046B4C40
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4C20 sqlite3_bind_int, 4_3_046B4C20
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4CF0 sqlite3_bind_text, 4_3_046B4CF0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4CC0 sqlite3_bind_null, 4_3_046B4CC0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4D50 sqlite3_bind_value, 4_3_046B4D50
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4D20 sqlite3_bind_text16, 4_3_046B4D20
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4EE0 sqlite3_bind_zeroblob, 4_3_046B4EE0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4F70 sqlite3_bind_parameter_count, 4_3_046B4F70
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4FF0 sqlite3_bind_parameter_name, 4_3_046B4FF0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B3030 sqlite3_clear_bindings,_memset, 4_3_046B3030
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B50E0 sqlite3_bind_parameter_index, 4_3_046B50E0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B52D0 sqlite3_transfer_bindings, 4_3_046B52D0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4BC0 sqlite3_bind_double, 4_3_046B4BC0
Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe Code function: 4_3_046B4B90 sqlite3_bind_blob, 4_3_046B4B90
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 514608 Sample: ADJUSTED PO3917NOV.exe Startdate: 03/11/2021 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Multi AV Scanner detection for dropped file 2->30 32 12 other signatures 2->32 7 ADJUSTED PO3917NOV.exe 7 2->7         started        process3 file4 18 C:\Users\user\AppData\...\QUQovKcaZRcNZ.exe, PE32 7->18 dropped 20 C:\Users\user\AppData\Local\...\tmpD7D5.tmp, XML 7->20 dropped 22 C:\Users\user\...\ADJUSTED PO3917NOV.exe.log, ASCII 7->22 dropped 10 ADJUSTED PO3917NOV.exe 3 4 7->10         started        14 schtasks.exe 1 7->14         started        process5 dnsIp6 24 185.222.57.253, 4782, 49741 ROOTLAYERNETNL Netherlands 10->24 34 Tries to steal Mail credentials (via file / registry access) 10->34 36 Tries to harvest and steal browser information (history, passwords, etc) 10->36 38 Increases the number of concurrent connection per server for Internet Explorer 10->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->40 16 conhost.exe 14->16         started        signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.222.57.253
 unknown Netherlands
51447 ROOTLAYERNETNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
185.222.57.253 true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown