Loading ...

Play interactive tourEdit tour

Windows Analysis Report ADJUSTED PO3917NOV.exe

Overview

General Information

Sample Name:ADJUSTED PO3917NOV.exe
Analysis ID:514608
MD5:ec46f95f234b89325e198104d1887b1c
SHA1:d0600cdb17f86f31eff130d029a87717fde2cc7a
SHA256:01bbef21bea94b6ec60c739df3e40e887cf0ea1df7ba2f1678ce708ba10a6203
Tags:exewarzonerat
Infos:

Most interesting Screenshot:

Detection

AveMaria UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AntiVM3
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Uses the system / local time for branch decision (may execute only at specific dates)
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • ADJUSTED PO3917NOV.exe (PID: 5404 cmdline: "C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe" MD5: EC46F95F234B89325E198104D1887B1C)
    • schtasks.exe (PID: 3244 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ADJUSTED PO3917NOV.exe (PID: 1328 cmdline: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe MD5: EC46F95F234B89325E198104D1887B1C)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "185.222.57.253", "port": 4782}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmpMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
      • 0x150e8:$a1: \Opera Software\Opera Stable\Login Data
      • 0x15410:$a2: \Comodo\Dragon\User Data\Default\Login Data
      • 0x14d58:$a3: \Google\Chrome\User Data\Default\Login Data
      00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          Click to see the 63 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x2318:$c1: Elevation:Administrator!new:
          4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
            4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
            • 0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
            4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
            • 0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
            • 0xb18:$c1: Elevation:Administrator!new:
            Click to see the 131 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "185.222.57.253", "port": 4782}
            Multi AV Scanner detection for submitted fileShow sources
            Source: ADJUSTED PO3917NOV.exeReversingLabs: Detection: 31%
            Yara detected AveMaria stealerShow sources
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exeReversingLabs: Detection: 28%
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpackAvira: Label: TR/Redcap.ghjpt
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040CAFC CryptUnprotectData,LocalAlloc,LocalFree,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040A6C8 GetBinaryTypeW,CopyFileW,CryptReleaseContext,PathFileExistsW,GetPrivateProfileStringW,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,

            Exploits:

            barindex
            Yara detected UACMe UAC Bypass toolShow sources
            Source: Yara matchFile source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 1328, type: MEMORYSTR
            Source: ADJUSTED PO3917NOV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: ADJUSTED PO3917NOV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe
            Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe, 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: 185.222.57.253
            Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
            Source: global trafficTCP traffic: 192.168.2.3:49741 -> 185.222.57.253:4782
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.290529303.0000000005D26000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292156707.0000000005D27000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.292198894.0000000005D27000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com;
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.296259109.0000000005D2E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTF
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceva
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comde
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.297131061.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdl
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitudl
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comivaI
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291797697.0000000005D27000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn#
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnpor
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291687095.0000000005D27000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr(
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Stan
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/dz
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com#
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comB
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comeL
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: ADJUSTED PO3917NOV.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040562F setsockopt,recv,recv,
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.253
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_004089D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

            E-Banking Fraud:

            barindex
            Yara detected AveMaria stealerShow sources
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
            Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 0_2_0121CE74
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 0_2_0121F2D0
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046A42D0
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046D6B50
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_04696C00
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_0469BCD0
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046A04D0
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_04696D30
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_04691D30
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_04694660
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046A7E70
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046A56B0
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046A8720
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046A9730
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046A6010
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046ED960
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046AD920
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046EB910
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B11E0
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046AC9C0
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_04695AB0
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046A5B40
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046A2350
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046EEB80
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00411BF8
            Source: ADJUSTED PO3917NOV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: QUQovKcaZRcNZ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: ADJUSTED PO3917NOV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.ADJUSTED PO3917NOV.exe.312c090.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a0220.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.3.ADJUSTED PO3917NOV.exe.15a17b8.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: String function: 004035E5 appears 39 times
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: String function: 00410969 appears 41 times
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: String function: 046958A0 appears 98 times
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: String function: 046962B0 appears 50 times
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.325288855.0000000000A54000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEn.exeb! vs ADJUSTED PO3917NOV.exe
            Source: ADJUSTED PO3917NOV.exe, 00000004.00000000.318645839.0000000001034000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEn.exeb! vs ADJUSTED PO3917NOV.exe
            Source: ADJUSTED PO3917NOV.exeBinary or memory string: OriginalFilenameEn.exeb! vs ADJUSTED PO3917NOV.exe
            Source: ADJUSTED PO3917NOV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeFile created: C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exeJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@6/6@0/1
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_04698C40 GetLastError,GetVersionExW,FormatMessageW,FormatMessageA,_free,LocalFree,_free,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
            Source: ADJUSTED PO3917NOV.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_004130B3 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: ADJUSTED PO3917NOV.exeReversingLabs: Detection: 31%
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeFile read: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeJump to behavior
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe "C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe"
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD7D5.tmpJump to behavior
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040F80E CoInitializeSecurity,CoInitialize,CoCreateInstance,VariantInit,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046994E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,
            Source: ADJUSTED PO3917NOV.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: ADJUSTED PO3917NOV.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.556535159.0000000004470000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: ADJUSTED PO3917NOV.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: ADJUSTED PO3917NOV.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: ADJUSTED PO3917NOV.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: ADJUSTED PO3917NOV.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_004120B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_01
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeMutant created: \Sessions\1\BaseNamedObjects\GjVhIQZsqPgi
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: ADJUSTED PO3917NOV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: ADJUSTED PO3917NOV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe
            Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: ADJUSTED PO3917NOV.exe, 00000004.00000003.336122914.0000000004690000.00000040.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: ADJUSTED PO3917NOV.exe, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: QUQovKcaZRcNZ.exe.0.dr, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.ADJUSTED PO3917NOV.exe.990000.0.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.ADJUSTED PO3917NOV.exe.990000.0.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.2.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.17.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.20.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.7.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.23.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.14.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.5.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.11.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.1.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.9.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.0.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.ADJUSTED PO3917NOV.exe.f70000.3.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.ADJUSTED PO3917NOV.exe.f70000.2.unpack, cs276_bjt_11__2008_hashFunctions/Form_hashFunctions.cs.Net Code: ParallelLoopResult System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 0_2_00994A25 push ss; ret
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046F8D05 push ecx; ret
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00401190 push eax; ret
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00401190 push eax; ret
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_004144B1 push ebp; retf
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00414550 push ebp; retf
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046F981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040D418 NetUserAdd,NetLocalGroupAddMembers,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeFile created: C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exeJump to dropped file
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040A6C8 GetBinaryTypeW,CopyFileW,CryptReleaseContext,PathFileExistsW,GetPrivateProfileStringW,

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeFile opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete
            Contains functionality to hide user accountsShow sources
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
            Source: ADJUSTED PO3917NOV.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: ADJUSTED PO3917NOV.exe, 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.2f1db8c.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe TID: 5068Thread sleep time: -32523s >= -30000s
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe TID: 4068Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe TID: 4724Thread sleep count: 60 > 30
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046997E0 GetSystemTime followed by cmp: cmp edx, 04h and CTI: jc 0469983Bh
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeThread delayed: delay time: 32523
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0041002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: ADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_04699970 GetSystemInfo,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00409DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046F981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0041094E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00419172 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00410619 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00410620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046F5FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_00401085 GetProcessHeap,RtlAllocateHeap,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeMemory allocated: page read and write | page guard
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046F5FCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046F723B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Contains functionality to inject threads in other processesShow sources
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_004079E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeProcess created: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_004118BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,
            Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: ADJUSTED PO3917NOV.exe, 00000004.00000002.555576015.0000000001BD0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_2_0040F93F cpuid
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046997E0 GetSystemTime,GetCurrentProcessId,GetTickCount,QueryPerformanceCounter,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046F73C6 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046994E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,

            Lowering of HIPS / PFW / Operating System Security Settings:

            barindex
            Increases the number of concurrent connection per server for Internet ExplorerShow sources
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected AveMaria stealerShow sources
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
            Tries to steal Mail credentials (via file / registry access)Show sources
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Contains functionality to steal e-mail passwordsShow sources
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: POP3 Password
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: SMTP Password
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: IMAP Password
            Contains functionality to steal Chrome passwords or cookiesShow sources
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: \Google\Chrome\User Data\Default\Login Data
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: \Chromium\User Data\Default\Login Data
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 5404, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: ADJUSTED PO3917NOV.exe PID: 1328, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected AveMaria stealerShow sources
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.3fccb60.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.15.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.18.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.40a0c30.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.ADJUSTED PO3917NOV.exe.400c580.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.ADJUSTED PO3917NOV.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.0.ADJUSTED PO3917NOV.exe.400000.21.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4C40 sqlite3_bind_int64,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4C20 sqlite3_bind_int,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4CF0 sqlite3_bind_text,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4CC0 sqlite3_bind_null,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4D50 sqlite3_bind_value,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4D20 sqlite3_bind_text16,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4EE0 sqlite3_bind_zeroblob,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4F70 sqlite3_bind_parameter_count,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4FF0 sqlite3_bind_parameter_name,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B3030 sqlite3_clear_bindings,_memset,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B50E0 sqlite3_bind_parameter_index,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B52D0 sqlite3_transfer_bindings,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4BC0 sqlite3_bind_double,
            Source: C:\Users\user\Desktop\ADJUSTED PO3917NOV.exeCode function: 4_3_046B4B90 sqlite3_bind_blob,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1Create Account1Access Token Manipulation1Disable or Modify Tools1OS Credential Dumping3System Time Discovery12Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
            Default AccountsScheduled Task/Job1Windows Service1Windows Service1Deobfuscate/Decode Files or Information1Input Capture21System Service Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsService Execution2Scheduled Task/Job1Process Injection122Obfuscated Files or Information2Credentials In Files1File and Directory Discovery3SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Software Packing11NTDSSystem Information Discovery27Distributed Component Object ModelInput Capture21Scheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading3LSA SecretsSecurity Software Discovery221SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsVirtualization/Sandbox Evasion21VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection122Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Users1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ADJUSTED PO3917NOV.exe31%ReversingLabsWin32.Trojan.AgentTesla

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe29%ReversingLabsWin32.Trojan.AgentTesla

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            4.0.ADJUSTED PO3917NOV.exe.400000.8.unpack100%AviraTR/Redcap.ghjptDownload File
            4.0.ADJUSTED PO3917NOV.exe.400000.15.unpack100%AviraTR/Redcap.ghjptDownload File
            4.2.ADJUSTED PO3917NOV.exe.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File
            4.0.ADJUSTED PO3917NOV.exe.400000.21.unpack100%AviraTR/Redcap.ghjptDownload File
            4.0.ADJUSTED PO3917NOV.exe.400000.4.unpack100%AviraTR/Redcap.ghjptDownload File
            4.0.ADJUSTED PO3917NOV.exe.400000.18.unpack100%AviraTR/Redcap.ghjptDownload File
            4.0.ADJUSTED PO3917NOV.exe.400000.12.unpack100%AviraTR/Redcap.ghjptDownload File
            4.0.ADJUSTED PO3917NOV.exe.400000.6.unpack100%AviraTR/Redcap.ghjptDownload File
            4.0.ADJUSTED PO3917NOV.exe.400000.10.unpack100%AviraTR/Redcap.ghjptDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/dz0%Avira URL Cloudsafe
            http://www.sajatypeworks.comB0%Avira URL Cloudsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            185.222.57.2534%VirustotalBrowse
            185.222.57.2530%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.sajatypeworks.comeL0%Avira URL Cloudsafe
            http://www.fontbureau.comitudl0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fontbureau.com;0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.founder.com.cn/cnpor0%Avira URL Cloudsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.fontbureau.com.TTF0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.sajatypeworks.comt0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Stan0%Avira URL Cloudsafe
            http://www.fontbureau.comde0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/I0%URL Reputationsafe
            http://www.fontbureau.comceva0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnr(0%Avira URL Cloudsafe
            http://www.fontbureau.comdl0%Avira URL Cloudsafe
            http://en.w0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/;0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.como0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/l0%URL Reputationsafe
            http://www.fontbureau.comM.TTF0%URL Reputationsafe
            http://www.sajatypeworks.com#0%Avira URL Cloudsafe
            http://www.fontbureau.comivaI0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn#0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            185.222.57.253true
            • 4%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.fontbureau.com/designersGADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
              high
              http://www.fontbureau.com/designers/?ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                high
                http://www.founder.com.cn/cn/bTheADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.fontbureau.com/designers?ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                  high
                  http://www.fontbureau.com/designersBADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmpfalse
                    high
                    http://www.tiro.comADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.jiyu-kobo.co.jp/dzADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.sajatypeworks.comBADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://www.fontbureau.com/designersADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.300380444.0000000005D28000.00000004.00000001.sdmpfalse
                      high
                      http://www.goodfont.co.krADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://github.com/syohex/java-simple-mine-sweeperADJUSTED PO3917NOV.exefalse
                        high
                        http://www.sajatypeworks.comADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.typography.netDADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.founder.com.cn/cn/cTheADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.galapagosdesign.com/staff/dennis.htmADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://fontfabrik.comADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.sajatypeworks.comeLADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.comitudlADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.galapagosdesign.com/DPleaseADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com;ADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://www.fonts.comADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                          high
                          http://www.sandoll.co.krADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.founder.com.cn/cnporADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.urwpp.deDPleaseADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.zhongyicts.com.cnADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameADJUSTED PO3917NOV.exe, 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmpfalse
                            high
                            http://www.sakkal.comADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com.TTFADJUSTED PO3917NOV.exe, 00000000.00000003.296145703.0000000005D2C000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.apache.org/licenses/LICENSE-2.0ADJUSTED PO3917NOV.exe, 00000000.00000003.292156707.0000000005D27000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000000.00000003.292198894.0000000005D27000.00000004.00000001.sdmpfalse
                              high
                              http://www.fontbureau.comADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmpfalse
                                high
                                http://www.fontbureau.comFADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comtADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/StanADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.fontbureau.comdeADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/IADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comcevaADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.founder.com.cn/cnr(ADJUSTED PO3917NOV.exe, 00000000.00000003.291687095.0000000005D27000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.fontbureau.comdlADJUSTED PO3917NOV.exe, 00000000.00000003.297131061.0000000005D2C000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://en.wADJUSTED PO3917NOV.exe, 00000000.00000003.290529303.0000000005D26000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comlADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.jiyu-kobo.co.jp/;ADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cnADJUSTED PO3917NOV.exe, 00000000.00000003.291737235.0000000005D28000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/sADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlADJUSTED PO3917NOV.exe, 00000000.00000003.295942171.0000000005D2D000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.jiyu-kobo.co.jp/ADJUSTED PO3917NOV.exe, 00000000.00000003.292846609.0000000005D2B000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.comoADJUSTED PO3917NOV.exe, 00000000.00000003.300689225.0000000005D27000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/lADJUSTED PO3917NOV.exe, 00000000.00000003.293647148.0000000005D2D000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designers8ADJUSTED PO3917NOV.exe, 00000000.00000002.328394021.0000000006F32000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.fontbureau.comM.TTFADJUSTED PO3917NOV.exe, 00000000.00000003.296259109.0000000005D2E000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sajatypeworks.com#ADJUSTED PO3917NOV.exe, 00000000.00000003.291966655.0000000005D3B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://github.com/syohex/java-simple-mine-sweeperC:ADJUSTED PO3917NOV.exe, 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, ADJUSTED PO3917NOV.exe, 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmpfalse
                                          high
                                          http://www.fontbureau.comivaIADJUSTED PO3917NOV.exe, 00000000.00000003.295910728.0000000005D2C000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.founder.com.cn/cn#ADJUSTED PO3917NOV.exe, 00000000.00000003.291797697.0000000005D27000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          185.222.57.253
                                          unknownNetherlands
                                          51447ROOTLAYERNETNLtrue

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:514608
                                          Start date:03.11.2021
                                          Start time:13:23:15
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 14s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:ADJUSTED PO3917NOV.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:19
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.phis.troj.spyw.expl.evad.winEXE@6/6@0/1
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 27.1% (good quality ratio 26.6%)
                                          • Quality average: 84.6%
                                          • Quality standard deviation: 21%
                                          HCA Information:
                                          • Successful, ratio: 96%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • TCP Packets have been reduced to 100
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          13:24:17API Interceptor2x Sleep call for process: ADJUSTED PO3917NOV.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          185.222.57.253Kyodo International Corp - Products Lists.exeGet hashmaliciousBrowse

                                            Domains

                                            No context

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            ROOTLAYERNETNLRJH5678909870432123406787654305670.exeGet hashmaliciousBrowse
                                            • 185.222.57.217
                                            Q4EtLThkYlEkFvu.exeGet hashmaliciousBrowse
                                            • 45.137.22.146
                                            CORMATEX - INQUIRY LIST.exeGet hashmaliciousBrowse
                                            • 45.137.22.70
                                            Purchase Order# 210145.exeGet hashmaliciousBrowse
                                            • 185.222.57.71
                                            PO_Contract_ANR07152112_20210715181907__110.exeGet hashmaliciousBrowse
                                            • 185.222.57.71
                                            PO_Contract_ANR07152112_20210715181907__110.exeGet hashmaliciousBrowse
                                            • 185.222.57.71
                                            PO.90764535.slip.scan.xls...exeGet hashmaliciousBrowse
                                            • 185.222.57.242
                                            ENC MARKETING - INQUIRY AND SAMPLE REQUEST.exeGet hashmaliciousBrowse
                                            • 45.137.22.70
                                            NAC0098765434567890-09876.exeGet hashmaliciousBrowse
                                            • 185.222.57.90
                                            Order#7631298.slip..xls...exeGet hashmaliciousBrowse
                                            • 185.222.57.242
                                            RHK098760045678009000.exeGet hashmaliciousBrowse
                                            • 185.222.57.90
                                            FHKPO098765432345.exeGet hashmaliciousBrowse
                                            • 185.222.57.90
                                            SecuriteInfo.com.Suspicious.Win32.Save.a.4240.exeGet hashmaliciousBrowse
                                            • 185.222.58.151
                                            SecuriteInfo.com.Artemis3008D0721A6C.1070.exeGet hashmaliciousBrowse
                                            • 185.222.58.151
                                            AWB #3099657260.xlsxGet hashmaliciousBrowse
                                            • 185.222.57.190
                                            HIC INTERNATIONAL - REQUEST FOR QUOTATION DOCUMENTS.exeGet hashmaliciousBrowse
                                            • 45.137.22.70
                                            AWB #30996572600.xlsxGet hashmaliciousBrowse
                                            • 185.222.57.190
                                            BL. NO. ANSMUNDAR3621.exeGet hashmaliciousBrowse
                                            • 185.222.57.71
                                            Payment Supplier.xlsxGet hashmaliciousBrowse
                                            • 185.222.57.85
                                            BULK ORDER #RFQ REF R2100131410.exeGet hashmaliciousBrowse
                                            • 45.137.22.70

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ADJUSTED PO3917NOV.exe.log
                                            Process:C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1216
                                            Entropy (8bit):5.355304211458859
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                            MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                            SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                            SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                            SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                            C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
                                            Process:C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1646
                                            Entropy (8bit):5.2021349858666435
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgAPtn:cbh47TlNQ//rydbz9I3YODOLNdq3yy
                                            MD5:1C1A65CA91C09759C032BDB8A9D63E5D
                                            SHA1:99404B26FCF77D27761690D71EEDB2C2B41B8755
                                            SHA-256:14C38D65AA4C38350AD298E9742BC7982B635FF0D82C1B973710D84BAFB53C2E
                                            SHA-512:9ACF01FDBC35568D22E53C21723C1B4EFB488EEC84E17B8444823A628F5D09EDEA04EEFF76A3A524C0C8C050D2CE819FABB6DA845767B531F260614C72B165B8
                                            Malicious:true
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                            C:\Users\user\AppData\Roaming\AHuvEkw.tmp
                                            Process:C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                            Category:dropped
                                            Size (bytes):40960
                                            Entropy (8bit):0.792852251086831
                                            Encrypted:false
                                            SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                            MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                            SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                            SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                            SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\Knptwsn.tmp
                                            Process:C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
                                            File Type:ASCII text, with very long lines, with no line terminators
                                            Category:dropped
                                            Size (bytes):87165
                                            Entropy (8bit):6.102565506017432
                                            Encrypted:false
                                            SSDEEP:1536:S9sfGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR+:SsfFcbXafIB0u1GOJmA3iuR+
                                            MD5:CC02ABB348037609ED09EC9157D55234
                                            SHA1:32411A59960ECF4D7434232194A5B3DB55817647
                                            SHA-256:62E0236494260F5C9FFF1C4DBF1A57C66B28A5ABE1ACF21B26D08235C735C7D8
                                            SHA-512:AC95705ED369D82B65200354E10875F6AD5EBC4E0F9FFC61AE6C45C32410B6F55D4C47B219BA4722B6E15C34AC57F91270581DB0A391711D70AF376170DE2A35
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview: {"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601478090199719e+12,"network":1.601453434e+12,"ticks":826153657.0,"uncertainty":4457158.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABL95WKt94zTZq03WydzHLcAAAAAAIAAAAAABBmAAAAAQAAIAAAABAL2tyan+lsWtxhoUVdUYrYiwg8iJkppNr2ZbBFie9UAAAAAA6AAAAAAgAAIAAAABDv4gjLq1dOS7lkRG21YVXojnHhsRhNbP8/D1zs78mXMAAAAB045Od5v4BxiFP4bdRYJjDXn4W2fxYqQj2xfYeAnS1vCL4JXAsdfljw4oXIE4R7l0AAAABlt36FqChftM9b7EtaPw98XRX5Y944rq1WsGWcOPFyXOajfBL3GXBUhMXghJbDGb5WCu+JEdxaxLLxaYPp4zeP"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245951016607996"},"plugins":{"metadata":{"adobe-flash-player":{"disp
                                            C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe
                                            Process:C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):963072
                                            Entropy (8bit):6.000080999689837
                                            Encrypted:false
                                            SSDEEP:6144:KMs+2EfXXT4uWtf5YTZkUPTUTsTlNOsk4F8d5JF4Nydla+4dZN0lTwI:Kk/DeV5YTZHPTesTW5JF4MN4dU1wI
                                            MD5:EC46F95F234B89325E198104D1887B1C
                                            SHA1:D0600CDB17F86F31EFF130D029A87717FDE2CC7A
                                            SHA-256:01BBEF21BEA94B6EC60C739DF3E40E887CF0EA1DF7BA2F1678CE708BA10A6203
                                            SHA-512:C3207A8C9C4639A40AD72308C7AA6710C78C4AC014704CF6675AD7D724CFDBA9D7A0AFD292E7B133EEB964342A1B0988A6CFC8C24D0EB84A43787405227968EB
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 29%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p.a..............0..............+... ...@....@.. ....................... ............@.................................D+..O....@.. ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc..............................@..B................x+......H........T...R......}.......P.............................................{....*.0..-..........6...%..~.o...........%.r...p.%.r?..p.%...*J.rU..p}.....(....*.0...........rU..p}.....(......}......}.....9.....o.....3V..+...o....~e.....3...}....+...X..~e....i2...+...o....~f.....3...}....+...X..~f....i2..{....-..rU..p(....,...}......+..~g.....(....,...}....*..X..~g....i2.*..{....*...0..x.......rU..p..{.......YE................,...+8.rW..p(.....+6.rg..p(.....+(.r}..p(.....+..r...p(
                                            C:\Users\user\AppData\Roaming\QUQovKcaZRcNZ.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: [ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):6.000080999689837
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:ADJUSTED PO3917NOV.exe
                                            File size:963072
                                            MD5:ec46f95f234b89325e198104d1887b1c
                                            SHA1:d0600cdb17f86f31eff130d029a87717fde2cc7a
                                            SHA256:01bbef21bea94b6ec60c739df3e40e887cf0ea1df7ba2f1678ce708ba10a6203
                                            SHA512:c3207a8c9c4639a40ad72308c7aa6710c78c4ac014704cf6675ad7d724cfdba9d7a0afd292e7b133eeb964342a1b0988a6cfc8c24d0eb84a43787405227968eb
                                            SSDEEP:6144:KMs+2EfXXT4uWtf5YTZkUPTUTsTlNOsk4F8d5JF4Nydla+4dZN0lTwI:Kk/DeV5YTZHPTesTW5JF4MN4dU1wI
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..a..............0..............+... ...@....@.. ....................... ............@................................

                                            File Icon

                                            Icon Hash:f0f0faf2e8ccb48a

                                            Static PE Info

                                            General

                                            Entrypoint:0x482b96
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x6181EE70 [Wed Nov 3 02:05:36 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            sub byte ptr [eax], al
                                            sub dword ptr [eax], eax
                                            cmp eax, 2B000000h
                                            add byte ptr [2F002A00h], ch
                                            add byte ptr [00005E00h], ah
                                            add byte ptr [eax], al
                                            add byte ptr [ebx], ch
                                            add byte ptr [2F002A00h], ch
                                            add byte ptr [28005E00h], ah
                                            add byte ptr [ecx], ch
                                            add byte ptr [eax], ah
                                            add byte ptr [00000000h], bh
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x82b440x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x6a120.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf00000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x80bcc0x80c00False0.561988015777data6.21831911022IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x840000x6a1200x6a200False0.121188070524data5.17746746332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xf00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0x842e00x42028dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0xc63080x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0xd6b300x94a8data
                                            RT_ICON0xdffd80x5488data
                                            RT_ICON0xe54600x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 248, next used block 520093696
                                            RT_ICON0xe96880x25a8data
                                            RT_ICON0xebc300x10a8data
                                            RT_ICON0xeccd80x988data
                                            RT_ICON0xed6600x468GLS_BINARY_LSB_FIRST
                                            RT_GROUP_ICON0xedac80x84data
                                            RT_GROUP_ICON0xedb4c0x84data
                                            RT_VERSION0xedbd00x364data
                                            RT_MANIFEST0xedf340x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2008
                                            Assembly Version1.0.0.0
                                            InternalNameEn.exe
                                            FileVersion1.0.0.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductNamecs276_bjt_11--2008_hashFunctions
                                            ProductVersion1.0.0.0
                                            FileDescriptioncs276_bjt_11--2008_hashFunctions
                                            OriginalFilenameEn.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Nov 3, 2021 13:24:30.335695982 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.359518051 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.359672070 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.384587049 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.430227995 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.494748116 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.573896885 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.589350939 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.597136974 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.644506931 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.644562960 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.644604921 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.644644022 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.644673109 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.644691944 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.644736052 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.667337894 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.667428017 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.667557001 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.667604923 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.667642117 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.667669058 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.667680025 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.667691946 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.667717934 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.667725086 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.667753935 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.667784929 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.667890072 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.690375090 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690428972 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690469027 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690501928 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.690509081 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690548897 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690552950 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.690589905 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690628052 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690639019 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.690666914 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690706015 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690742970 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690782070 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690812111 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.690818071 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.690823078 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690865040 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690877914 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.690905094 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690943956 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.690954924 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.690983057 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.691010952 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.691243887 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.713630915 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.713690996 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.713732958 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.713772058 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.713812113 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.713813066 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.713829041 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.713854074 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.713896036 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.713933945 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.713973045 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.713979959 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.713984013 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714013100 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714052916 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714091063 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714128017 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714129925 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714138031 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714168072 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714209080 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714246988 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714260101 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714286089 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714325905 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714365005 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714378119 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714384079 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714407921 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714446068 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714487076 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714487076 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714528084 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714565992 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714570045 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714605093 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714643955 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714648962 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714682102 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714720964 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714745045 CET497414782192.168.2.3185.222.57.253
                                            Nov 3, 2021 13:24:30.714749098 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714790106 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714829922 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714868069 CET478249741185.222.57.253192.168.2.3
                                            Nov 3, 2021 13:24:30.714869976 CET497414782192.168.2.3185.222.57.253

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Start time:13:24:11
                                            Start date:03/11/2021
                                            Path:C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe"
                                            Imagebase:0x990000
                                            File size:963072 bytes
                                            MD5 hash:EC46F95F234B89325E198104D1887B1C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.327281323.00000000030A2000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.327014581.0000000002ED1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.327512166.0000000003ED9000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            General

                                            Start time:13:24:22
                                            Start date:03/11/2021
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QUQovKcaZRcNZ" /XML "C:\Users\user\AppData\Local\Temp\tmpD7D5.tmp
                                            Imagebase:0x12f0000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:13:24:22
                                            Start date:03/11/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7f20f0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:13:24:22
                                            Start date:03/11/2021
                                            Path:C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\ADJUSTED PO3917NOV.exe
                                            Imagebase:0xf70000
                                            File size:963072 bytes
                                            MD5 hash:EC46F95F234B89325E198104D1887B1C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327703338.00000000015C4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.319379461.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.321459100.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.317402875.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327531363.00000000015CA000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.316730524.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.327615222.000000000159F000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327638100.00000000015C4000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327579370.00000000015B1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.319990653.000000000054F000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.321513614.000000000054F000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.327551592.000000000159F000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.554723844.000000000054F000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.318229472.000000000054F000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.319952873.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000000.318207568.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327676957.00000000015CA000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000000.319416601.000000000054F000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: AveMaria_WarZone, Description: unknown, Source: 00000004.00000002.554668873.0000000000400000.00000040.00000001.sdmp, Author: unknown
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.327479352.00000000015A5000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Disassembly

                                            Code Analysis

                                            Reset < >