Loading ...

Play interactive tourEdit tour

Analysis Report Me jpg jpgjpg jpg.scr

Overview

General Information

Sample Name:Me jpg jpgjpg jpg.scr (renamed file extension from scr to exe)
Analysis ID:271446
MD5:0fefb456de0c44dbe347c9af0017e49c
SHA1:ed1ce8ba6a765c7ac221d545efa389afea44cd82
SHA256:d2b7389c9dd63fb1b147537c52572bbc09bec5c080474000e113b31aa249388a

Most interesting Screenshot:

Detection

Ardamax AveMaria GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ardamax
Yara detected AveMaria stealer
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Hides user accounts
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Increases the number of concurrent connection per server for Internet Explorer
Installs a global get message hook
Installs a global keyboard hook
Modifies the prolog of user mode functions (user mode inline hooks)
Tries to detect Any.run
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Queries keyboard layouts
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sleep loop found (likely to delay execution)
Spawns drivers
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • Me jpg jpgjpg jpg.exe (PID: 6996 cmdline: 'C:\Users\user\Desktop\Me jpg jpgjpg jpg.exe' MD5: 0FEFB456DE0C44DBE347C9AF0017E49C)
    • Me jpg jpgjpg jpg.exe (PID: 7024 cmdline: 'C:\Users\user\Desktop\Me jpg jpgjpg jpg.exe' MD5: 0FEFB456DE0C44DBE347C9AF0017E49C)
      • designs.exe (PID: 7096 cmdline: 'C:\Users\user\AppData\Local\Temp\designs.exe' MD5: EBC04C1870F513752A97791489B779CA)
        • TSH.exe (PID: 6488 cmdline: 'C:\ProgramData\QQOFCC\TSH.exe' MD5: D60CF802E4316BFAF8CA1964B2F1C769)
      • Purchase Order.scr (PID: 7140 cmdline: 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr' /S MD5: 0FEFB456DE0C44DBE347C9AF0017E49C)
        • Purchase Order.scr (PID: 3920 cmdline: 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr' /S MD5: 0FEFB456DE0C44DBE347C9AF0017E49C)
  • wscript.exe (PID: 5056 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • Purchase Order.scr (PID: 4600 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr MD5: 0FEFB456DE0C44DBE347C9AF0017E49C)
      • Purchase Order.scr (PID: 5272 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr MD5: 0FEFB456DE0C44DBE347C9AF0017E49C)
  • wscript.exe (PID: 5988 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • Purchase Order.scr (PID: 5928 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr MD5: 0FEFB456DE0C44DBE347C9AF0017E49C)
      • Purchase Order.scr (PID: 6456 cmdline: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr MD5: 0FEFB456DE0C44DBE347C9AF0017E49C)
  • TSH.exe (PID: 6280 cmdline: 'C:\ProgramData\QQOFCC\TSH.exe' MD5: D60CF802E4316BFAF8CA1964B2F1C769)
  • rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)
  • tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\QQOFCC\TSH.exeJoeSecurity_ArdamaxYara detected ArdamaxJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000003.1334765716.000000000094A000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
      00000007.00000003.1334557422.0000000000943000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
      • 0x5850:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
      • 0x5850:$c1: Elevation:Administrator!new:
      00000007.00000003.1334557422.0000000000943000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000007.00000002.1546954748.00000000006B0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          00000008.00000002.1345955788.00000000006B0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            18.0.TSH.exe.7ff7d3640000.0.unpackJoeSecurity_ArdamaxYara detected ArdamaxJoe Security
              13.0.TSH.exe.7ff7d3640000.0.unpackJoeSecurity_ArdamaxYara detected ArdamaxJoe Security
                18.2.TSH.exe.7ff7d3640000.0.unpackJoeSecurity_ArdamaxYara detected ArdamaxJoe Security
                  13.2.TSH.exe.7ff7d3640000.2.unpackJoeSecurity_ArdamaxYara detected ArdamaxJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Group Modification LoggingShow sources
                    Source: Event LogsAuthor: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-3853321935-2125563209-4053062332-1003, data 2: None, data 3: computer, data 4: S-1-5-21-3853321935-2125563209-4053062332-513, data 5: S-1-5-21-3853321935-2125563209-4053062332-1002, data 6: user, data 7: computer, data 8: 0x201ea, data 9: -
                    Sigma detected: Local User CreationShow sources
                    Source: Event LogsAuthor: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: HihhIGe, data 1: computer, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-3853321935-2125563209-4053062332-1003, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-3853321935-2125563209-4053062332-1002, data 4: user, data 5: computer, data 6: 0x201ea, data 7: -, data 8: HihhIGe, data 9: %%1793

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Yara detected AveMaria stealerShow sources
                    Source: Yara matchFile source: 00000007.00000003.1334765716.000000000094A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.1334557422.0000000000943000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.1334733091.000000000093F000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.1334262218.000000000092C000.00000004.00000001.sdmp, type: MEMORY
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeCode function: 2_2_00007FF7A4038C48 FindFirstFileExW,2_2_00007FF7A4038C48
                    Source: C:\ProgramData\QQOFCC\TSH.exeFile opened: C:\Users\user
                    Source: C:\ProgramData\QQOFCC\TSH.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\ProgramData\QQOFCC\TSH.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: C:\ProgramData\QQOFCC\TSH.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\ProgramData\QQOFCC\TSH.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\ProgramData\QQOFCC\TSH.exeFile opened: C:\Users\user\AppData

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.5:49742 -> 192.64.118.122:80
                    Source: global trafficTCP traffic: 192.168.2.5:49746 -> 198.12.84.39:5200
                    Source: global trafficHTTP traffic detected: GET /wp-content/ard/designs.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: landzro365groupe.comCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.39
                    Source: global trafficHTTP traffic detected: GET /wp-content/ard/designs.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: landzro365groupe.comCache-Control: no-cache
                    Source: unknownDNS traffic detected: queries for: landzro365groupe.com
                    Source: Purchase Order.scr, 00000008.00000003.1343171392.0000000000BE9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot202%%?
                    Source: Purchase Order.scr, 00000008.00000003.1343171392.0000000000BE9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                    Source: TSH.exe, 0000000D.00000002.1558702799.00007FF7D3918000.00000002.00020000.sdmp, TSH.exe, 00000012.00000000.1390647030.00007FF7D3918000.00000002.00020000.sdmpString found in binary or memory: http://lame.sf.net
                    Source: TSH.exe, 0000000D.00000002.1558702799.00007FF7D3918000.00000002.00020000.sdmp, TSH.exe, 00000012.00000000.1390647030.00007FF7D3918000.00000002.00020000.sdmpString found in binary or memory: http://lame.sf.net64bits
                    Source: Me jpg jpgjpg jpg.exe, 00000001.00000002.1306378257.00000000006B0000.00000040.00000001.sdmpString found in binary or memory: http://landzro365groupe.com/wp-content/ard/designs.exe
                    Source: Purchase Order.scr, 00000008.00000003.1343171392.0000000000BE9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.di
                    Source: Purchase Order.scr, 00000008.00000003.1343171392.0000000000BE9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: Purchase Order.scr, 00000008.00000003.1343171392.0000000000BE9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: Purchase Order.scr, 00000007.00000003.1339493980.0000000000956000.00000004.00000001.sdmpString found in binary or memory: http://stascorp.comDVarFileInfo$
                    Source: TSH.exe, 0000000D.00000002.1558702799.00007FF7D3918000.00000002.00020000.sdmp, TSH.exe, 00000012.00000000.1390647030.00007FF7D3918000.00000002.00020000.sdmpString found in binary or memory: http://www.ardamax.com/keylogger/download.htmlB
                    Source: TSH.exe, 0000000D.00000002.1558702799.00007FF7D3918000.00000002.00020000.sdmp, TSH.exe, 00000012.00000000.1390647030.00007FF7D3918000.00000002.00020000.sdmpString found in binary or memory: http://www.ardamax.comhttp://www.ardamax.com/keylogger/purchase.htmlhttp://www.ardamax.com/helps/key
                    Source: Purchase Order.scr, 00000008.00000003.1342920176.0000000000B97000.00000004.00000001.sdmpString found in binary or memory: https://awz9ga.db.files.1drv.com/
                    Source: Purchase Order.scr, 00000008.00000003.1345716620.0000000000BCF000.00000004.00000001.sdmpString found in binary or memory: https://awz9ga.db.files.1drv.com/y4mWWpUvIZ4whS4QtvFMW0lYjE5qaUYXysTHL5ruiaS9emVXU4k3LoqWscq3ZcaRzla
                    Source: Purchase Order.scr, 00000008.00000003.1345716620.0000000000BCF000.00000004.00000001.sdmp, Purchase Order.scr, 00000008.00000003.1342987771.0000000000BAC000.00000004.00000001.sdmpString found in binary or memory: https://awz9ga.db.files.1drv.com/y4mdAMoLkmBkLBdaj6nLdnbxhKNx2FXpMwE1Tb5Faz2S7_WpiZzIkm5w3KH9a3_TKcq
                    Source: Purchase Order.scr, 00000007.00000003.1334765716.000000000094A000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
                    Source: Purchase Order.scr, 00000008.00000002.1347191052.0000000000B6B000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
                    Source: Purchase Order.scr, 00000008.00000003.1342987771.0000000000BAC000.00000004.00000001.sdmp, Purchase Order.scr, 00000008.00000003.1342920176.0000000000B97000.00000004.00000001.sdmp, Purchase Order.scr, 0000000C.00000002.1363161149.00000000006B0000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=5624EA93AB8BAD8E&resid=5624EA93AB8BAD8E%21138&authkey=ABWRmxp
                    Source: Purchase Order.scr, 00000008.00000003.1343171392.0000000000BE9000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.co
                    Source: Purchase Order.scr, 00000008.00000003.1343171392.0000000000BE9000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: TSH.exe, 00000012.00000000.1390647030.00007FF7D3918000.00000002.00020000.sdmpString found in binary or memory: https://www.openssl.org/docs/faq.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected ArdamaxShow sources
                    Source: Yara matchFile source: Process Memory Space: TSH.exe PID: 6488, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: TSH.exe PID: 6280, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\QQOFCC\TSH.exe, type: DROPPED
                    Source: Yara matchFile source: 18.0.TSH.exe.7ff7d3640000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.0.TSH.exe.7ff7d3640000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 18.2.TSH.exe.7ff7d3640000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.TSH.exe.7ff7d3640000.2.unpack, type: UNPACKEDPE
                    Installs a global keyboard hookShow sources
                    Source: C:\ProgramData\QQOFCC\TSH.exeWindows user hook set: 6492 get message C:\ProgramData\QQOFCC\TSH.exe
                    Source: C:\ProgramData\QQOFCC\TSH.exeWindows user hook set: 0 call wnd proc C:\ProgramData\QQOFCC\TSH.02
                    Source: C:\ProgramData\QQOFCC\TSH.exeWindows user hook set: 0 keyboard C:\ProgramData\QQOFCC\TSH.01
                    Source: C:\ProgramData\QQOFCC\TSH.exeWindows user hook set: 0 get message C:\ProgramData\QQOFCC\TSH.01
                    Source: C:\ProgramData\QQOFCC\TSH.exeWindows user hook set: 0 call wnd proc C:\ProgramData\QQOFCC\TSH.01
                    Source: C:\ProgramData\QQOFCC\TSH.exeWindows user hook set: 0 mouse low level C:\ProgramData\QQOFCC\TSH.01
                    Source: C:\ProgramData\QQOFCC\TSH.exeWindows user hook set: 0 mouse low level C:\ProgramData\QQOFCC\TSH.01
                    Source: Purchase Order.scr, 00000007.00000003.1334765716.000000000094A000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

                    E-Banking Fraud:

                    barindex
                    Yara detected AveMaria stealerShow sources
                    Source: Yara matchFile source: 00000007.00000003.1334765716.000000000094A000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.1334557422.0000000000943000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.1334733091.000000000093F000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000003.1334262218.000000000092C000.00000004.00000001.sdmp, type: MEMORY
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_0229706E NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,0_2_0229706E
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02296A8D NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,0_2_02296A8D
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02290770 EnumWindows,NtSetInformationThread,TerminateProcess,0_2_02290770
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02298596 NtProtectVirtualMemory,0_2_02298596
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02293431 NtWriteVirtualMemory,0_2_02293431
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02298C09 NtResumeThread,0_2_02298C09
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02298A11 NtResumeThread,0_2_02298A11
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_0229327D NtWriteVirtualMemory,0_2_0229327D
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02293646 NtWriteVirtualMemory,0_2_02293646
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_022990AC NtResumeThread,0_2_022990AC
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_022930D8 NtWriteVirtualMemory,0_2_022930D8
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02291F3E NtWriteVirtualMemory,0_2_02291F3E
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02296F0A NtWriteVirtualMemory,0_2_02296F0A
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02298D1B NtResumeThread,0_2_02298D1B
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02298B12 NtResumeThread,0_2_02298B12
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_022907A7 NtSetInformationThread,TerminateProcess,LoadLibraryA,0_2_022907A7
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_02298F84 NtResumeThread,0_2_02298F84
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_022907D2 NtSetInformationThread,TerminateProcess,0_2_022907D2
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 1_2_006B706E NtSetInformationThread,GetFirmwareEnvironmentVariableExW,TerminateProcess,LoadLibraryA,1_2_006B706E
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 1_2_006B6A8D NtSetInformationThread,GetFirmwareEnvironmentVariableExW,TerminateProcess,LoadLibraryA,1_2_006B6A8D
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 1_2_006B0770 EnumWindows,NtSetInformationThread,GetFirmwareEnvironmentVariableExW,TerminateProcess,1_2_006B0770
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 1_2_006B8596 NtProtectVirtualMemory,1_2_006B8596
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 1_2_006B07D2 NtSetInformationThread,GetFirmwareEnvironmentVariableExW,TerminateProcess,1_2_006B07D2
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 1_2_006B07A7 NtSetInformationThread,GetFirmwareEnvironmentVariableExW,TerminateProcess,LoadLibraryA,1_2_006B07A7
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_0239706E NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,4_2_0239706E
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02396A8D NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,4_2_02396A8D
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02390770 EnumWindows,NtSetInformationThread,TerminateProcess,4_2_02390770
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02398596 NtProtectVirtualMemory,4_2_02398596
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02393431 NtWriteVirtualMemory,4_2_02393431
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02398A11 NtResumeThread,4_2_02398A11
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02398C09 NtResumeThread,4_2_02398C09
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_0239327D NtWriteVirtualMemory,4_2_0239327D
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02393646 NtWriteVirtualMemory,4_2_02393646
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_023990AC NtResumeThread,4_2_023990AC
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_023930D8 NtWriteVirtualMemory,4_2_023930D8
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02391F3E NtWriteVirtualMemory,4_2_02391F3E
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02398D1B NtResumeThread,4_2_02398D1B
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02398B12 NtResumeThread,4_2_02398B12
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02396F0A NtWriteVirtualMemory,4_2_02396F0A
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_023907A7 NtSetInformationThread,TerminateProcess,LoadLibraryA,4_2_023907A7
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_02398F84 NtResumeThread,4_2_02398F84
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 4_2_023907D2 NtSetInformationThread,TerminateProcess,4_2_023907D2
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C706E NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,6_2_020C706E
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C6A8D NtSetInformationThread,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,6_2_020C6A8D
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C0770 EnumWindows,NtSetInformationThread,TerminateProcess,6_2_020C0770
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C8596 NtProtectVirtualMemory,6_2_020C8596
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C8C09 NtMapViewOfSection,6_2_020C8C09
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C8A11 NtMapViewOfSection,6_2_020C8A11
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C3431 NtWriteVirtualMemory,6_2_020C3431
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C3646 NtWriteVirtualMemory,6_2_020C3646
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C327D NtWriteVirtualMemory,6_2_020C327D
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C90AC NtMapViewOfSection,6_2_020C90AC
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C30D8 NtWriteVirtualMemory,6_2_020C30D8
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C6F0A NtWriteVirtualMemory,6_2_020C6F0A
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C8D1B NtMapViewOfSection,6_2_020C8D1B
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C8B12 NtMapViewOfSection,6_2_020C8B12
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C1F3E NtWriteVirtualMemory,6_2_020C1F3E
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C8F84 NtMapViewOfSection,6_2_020C8F84
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C07A7 NtSetInformationThread,TerminateProcess,LoadLibraryA,6_2_020C07A7
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 6_2_020C07D2 NtSetInformationThread,TerminateProcess,6_2_020C07D2
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B89F3 NtSetInformationThread,7_2_006B89F3
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B2A4F Sleep,TerminateThread,Sleep,LdrInitializeThunk,NtProtectVirtualMemory,LoadLibraryA,7_2_006B2A4F
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B2D1F LdrInitializeThunk,RtlAddVectoredExceptionHandler,LdrInitializeThunk,NtProtectVirtualMemory,NtProtectVirtualMemory,7_2_006B2D1F
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B8596 NtProtectVirtualMemory,7_2_006B8596
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B90AC NtSetInformationThread,7_2_006B90AC
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B8A11 NtSetInformationThread,7_2_006B8A11
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B8B12 NtSetInformationThread,7_2_006B8B12
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B2BF4 CreateThread,TerminateThread,NtProtectVirtualMemory,7_2_006B2BF4
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B8C09 NtSetInformationThread,7_2_006B8C09
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B8D1B NtSetInformationThread,7_2_006B8D1B
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B3DC1 NtProtectVirtualMemory,7_2_006B3DC1
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B3DA9 NtProtectVirtualMemory,7_2_006B3DA9
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_2_006B8F84 NtSetInformationThread,7_2_006B8F84
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B706E NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,GetFirmwareEnvironmentVariableExW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LoadLibraryA,8_2_006B706E
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B6A8D NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,GetFirmwareEnvironmentVariableExW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LoadLibraryA,8_2_006B6A8D
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B0770 EnumWindows,NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,GetFirmwareEnvironmentVariableExW,LdrInitializeThunk,8_2_006B0770
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B2D1F RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,8_2_006B2D1F
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B3DB0 NtProtectVirtualMemory,8_2_006B3DB0
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B8596 NtProtectVirtualMemory,8_2_006B8596
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B8C09 NtQueryInformationProcess,8_2_006B8C09
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B8A11 NtQueryInformationProcess,8_2_006B8A11
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B90AC NtQueryInformationProcess,8_2_006B90AC
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B8D1B NtQueryInformationProcess,8_2_006B8D1B
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B8B12 NtQueryInformationProcess,8_2_006B8B12
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B2BF4 NtProtectVirtualMemory,8_2_006B2BF4
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B3DC1 NtProtectVirtualMemory,8_2_006B3DC1
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B07D2 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,GetFirmwareEnvironmentVariableExW,LdrInitializeThunk,8_2_006B07D2
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B3DA9 NtProtectVirtualMemory,8_2_006B3DA9
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B07A7 NtSetInformationThread,LdrInitializeThunk,LdrInitializeThunk,GetFirmwareEnvironmentVariableExW,LdrInitializeThunk,LoadLibraryA,8_2_006B07A7
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 8_2_006B8F84 NtQueryInformationProcess,8_2_006B8F84
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_00403BB20_2_00403BB2
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeCode function: 2_2_00007FF7A4031F202_2_00007FF7A4031F20
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeCode function: 2_2_00007FF7A40312202_2_00007FF7A4031220
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeCode function: 2_2_00007FF7A40346B02_2_00007FF7A40346B0
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeCode function: 2_2_00007FF7A40357442_2_00007FF7A4035744
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeCode function: 2_2_00007FF7A4037A2C2_2_00007FF7A4037A2C
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeCode function: 2_2_00007FF7A4038A182_2_00007FF7A4038A18
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE156B07_3_1EE156B0
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE046607_3_1EE04660
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE17E707_3_1EE17E70
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE187207_3_1EE18720
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE197307_3_1EE19730
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE0BCD07_3_1EE0BCD0
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE104D07_3_1EE104D0
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE06C007_3_1EE06C00
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE01D307_3_1EE01D30
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE06D307_3_1EE06D30
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE142D07_3_1EE142D0
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE05AB07_3_1EE05AB0
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE15B407_3_1EE15B40
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE123507_3_1EE12350
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE46B507_3_1EE46B50
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE160107_3_1EE16010
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE211E07_3_1EE211E0
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE1C9C07_3_1EE1C9C0
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE5D9607_3_1EE5D960
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE1D9207_3_1EE1D920
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE5B9107_3_1EE5B910
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: String function: 1EE062B0 appears 47 times
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: String function: 1EE058A0 appears 103 times
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
                    Source: Me jpg jpgjpg jpg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: designs.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: designs.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Purchase Order.scr.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: TSH.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Me jpg jpgjpg jpg.exe, 00000000.00000002.1291694113.0000000002260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exe, 00000000.00000002.1291451488.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameresignation.exe vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exeBinary or memory string: OriginalFilename vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exe, 00000001.00000002.1323199268.000000001DB80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exe, 00000001.00000002.1323199268.000000001DB80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exe, 00000001.00000002.1313856049.00000000022A2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameresignation.exe\x vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exe, 00000001.00000002.1322811705.000000001DA30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exe, 00000001.00000002.1318932139.000000001D420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exe, 00000001.00000002.1322855155.000000001DA80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exe, 00000001.00000000.1290592760.0000000000413000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameresignation.exe vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exe, 00000001.00000001.1291314289.0000000000400000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMSHTML.TLBD vs Me jpg jpgjpg jpg.exe
                    Source: Me jpg jpgjpg jpg.exeBinary or memory string: OriginalFilenameresignation.exe vs Me jpg jpgjpg jpg.exe
                    Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
                    Source: 00000007.00000003.1334557422.0000000000943000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                    Source: 00000007.00000003.1334733091.000000000093F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                    Source: 00000007.00000003.1334262218.000000000092C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                    Source: 00000007.00000003.1334620303.000000000092C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@22/9@7/3
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE08C40 GetLastError,GetVersionExW,FormatMessageW,FormatMessageA,_free,LocalFree,_free,7_3_1EE08C40
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE094E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,LdrInitializeThunk,GetDiskFreeSpaceW,LdrInitializeThunk,GetDiskFreeSpaceA,_free,7_3_1EE094E0
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeCode function: 2_2_00007FF7A40346B0 FindWindowW,SendMessageW,FindResourceW,LoadResource,LockResource,SizeofResource,FindResourceW,LoadResource,SizeofResource,LockResource,GetModuleFileNameW,PathRemoveFileSpecW,CreateDirectoryW,CreateFileW,CreateFileW,GetSecurityInfo,SetEntriesInAclW,SetSecurityInfo,FreeSid,LocalFree,LocalFree,FindCloseChangeNotification,ShellExecuteW,2_2_00007FF7A40346B0
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile created: C:\Program Files\Microsoft DN1Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
                    Source: C:\ProgramData\QQOFCC\TSH.exeMutant created: \Sessions\1\BaseNamedObjects\Local\{D45184B2-D44D-4D99-931B-B84626BC5EF2}
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeFile created: C:\Users\user\AppData\Local\Temp\~DF04A3F6D2D3929A1A.TMPJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.vbs'
                    Source: Me jpg jpgjpg jpg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Purchase Order.scrBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: Purchase Order.scrBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: Purchase Order.scr, 00000007.00000003.1470941285.000000001EA4A000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: Purchase Order.scrBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: Purchase Order.scrBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: Purchase Order.scrBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: Purchase Order.scrBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeFile read: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exe 'C:\Users\user\Desktop\Me jpg jpgjpg jpg.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exe 'C:\Users\user\Desktop\Me jpg jpgjpg jpg.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\designs.exe 'C:\Users\user\AppData\Local\Temp\designs.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr' /S
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.vbs'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr' /S
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.vbs'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr
                    Source: unknownProcess created: C:\ProgramData\QQOFCC\TSH.exe 'C:\ProgramData\QQOFCC\TSH.exe'
                    Source: unknownProcess created: C:\ProgramData\QQOFCC\TSH.exe 'C:\ProgramData\QQOFCC\TSH.exe'
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeProcess created: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exe 'C:\Users\user\Desktop\Me jpg jpgjpg jpg.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeProcess created: C:\Users\user\AppData\Local\Temp\designs.exe 'C:\Users\user\AppData\Local\Temp\designs.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr' /SJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeProcess created: C:\ProgramData\QQOFCC\TSH.exe 'C:\ProgramData\QQOFCC\TSH.exe' Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr 'C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr' /SJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrProcess created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scr
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile written: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
                    Source: Binary string: d:\Projects\AKL\x64\Release\hl.pdb source: designs.exe, 00000002.00000003.1359218535.00000176F2368000.00000004.00000001.sdmp, TSH.exe, 0000000D.00000000.1363668102.00007FF7D3A5C000.00000002.00020000.sdmp, TSH.exe, 00000012.00000002.1395366147.00007FF7D3A5C000.00000002.00020000.sdmp, TSH.01.2.dr
                    Source: Binary string: d:\Projects\AKL\x64\Release\Installer.pdb source: designs.exe, 00000002.00000000.1304194310.00007FF7A403F000.00000002.00020000.sdmp, TSH.exe, 0000000D.00000000.1363668102.00007FF7D3A5C000.00000002.00020000.sdmp, TSH.exe, 00000012.00000002.1395366147.00007FF7D3A5C000.00000002.00020000.sdmp, designs.exe.1.dr
                    Source: Binary string: d:\Projects\AKL\x64\Release\AKL.pdb source: TSH.exe, 0000000D.00000002.1558702799.00007FF7D3918000.00000002.00020000.sdmp, TSH.exe, 00000012.00000000.1390647030.00007FF7D3918000.00000002.00020000.sdmp
                    Source: Binary string: d:\Projects\AKL\x64\Release\il.pdb source: designs.exe, 00000002.00000003.1359509206.00000176F2365000.00000004.00000001.sdmp, TSH.exe, 0000000D.00000000.1363668102.00007FF7D3A5C000.00000002.00020000.sdmp, TSH.exe, 00000012.00000002.1395366147.00007FF7D3A5C000.00000002.00020000.sdmp
                    Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Purchase Order.scr
                    Source: Binary string: RfxVmt.pdb source: Purchase Order.scr, 00000007.00000003.1339493980.0000000000956000.00000004.00000001.sdmp
                    Source: Binary string: RfxVmt.pdbGCTL source: Purchase Order.scr, 00000007.00000003.1339493980.0000000000956000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: Purchase Order.scr, 00000007.00000003.1470941285.000000001EA4A000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    Yara detected GuLoaderShow sources
                    Source: Yara matchFile source: 00000007.00000002.1546954748.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.1345955788.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1363161149.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 6456, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Me jpg jpgjpg jpg.exe PID: 6996, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 7140, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 5928, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 3920, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 5272, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Me jpg jpgjpg jpg.exe PID: 7024, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 4600, type: MEMORY
                    Yara detected VB6 Downloader GenericShow sources
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 6456, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Me jpg jpgjpg jpg.exe PID: 6996, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 7140, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 5928, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 3920, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 5272, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Me jpg jpgjpg jpg.exe PID: 7024, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Purchase Order.scr PID: 4600, type: MEMORY
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE6981B LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,LdrInitializeThunk,LdrInitializeThunk,DecodePointer,DecodePointer,DecodePointer,7_3_1EE6981B
                    Source: TSH.exe.2.drStatic PE information: section name: _RDATA
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_0040A83A push edi; retf 0_2_0040A83B
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_0040951E push cs; retf 0_2_0040952F
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_00404D3B pushfd ; iretd 0_2_00404D3C
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeCode function: 0_2_0040961E push cs; retf 0_2_0040962F
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrCode function: 7_3_1EE68D05 push ecx; ret 7_3_1EE68D18

                    Persistence and Installation Behavior:

                    barindex
                    Drops PE files with a suspicious file extensionShow sources
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrJump to dropped file
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeFile created: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeFile created: C:\Users\user\AppData\Local\Temp\designs.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeFile created: C:\ProgramData\QQOFCC\TSH.01Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeFile created: C:\ProgramData\QQOFCC\TSH.02Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeFile created: C:\ProgramData\QQOFCC\TSH.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeFile created: C:\ProgramData\QQOFCC\TSH.01Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeFile created: C:\ProgramData\QQOFCC\TSH.02Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeFile created: C:\ProgramData\QQOFCC\TSH.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeFile created: C:\ProgramData\QQOFCC\TSH.01Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\designs.exeFile created: C:\ProgramData\QQOFCC\TSH.02Jump to dropped file

                    Boot Survival:

                    barindex
                    Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.vbsJump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.vbsJump to behavior
                    Creates multiple autostart registry keysShow sources
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
                    Source: C:\ProgramData\QQOFCC\TSH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TSH Start
                    Source: C:\Windows\system32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\ParametersJump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
                    Source: C:\Users\user\Desktop\Me jpg jpgjpg jpg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup keyJump to behavior
                    Source: C:\ProgramData\QQOFCC\TSH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TSH Start
                    Source: C:\ProgramData\QQOFCC\TSH.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TSH Start

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Contains functionality to hide user accountsShow sources
                    Source: Purchase Order.scr, 00000007.00000003.1334765716.000000000094A000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                    Source: Purchase Order.scr, 00000007.00000003.1334765716.000000000094A000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypeB"@v
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrFile opened: C:\Users\:Zone.Identifier read attributes | deleteJump to behavior
                    Hides user accountsShow sources
                    Source: C:\Users\user\AppData\Local\Temp\subfolder1\Purchase Order.scrRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList HihhIGeJump to behavior
                    Hooks processes query functions (used to hide processes)Show sources
                    Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                    Hooks registry keys query functions (used to hide registry keys)Show sources
                    Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                    Modifies the prolog of user mode functions (user mode inline hooks)Show sources