Windows Analysis Report
JOB-in.line e.K. - New Order 56899707.exe

Overview

General Information

Sample Name: JOB-in.line e.K. - New Order 56899707.exe
Analysis ID: 679145
MD5: 9e8d620f00f7988a79ae5c1228f37899
SHA1: 27e5c643563bfe8dbccf7e26e9669c2cdde8e767
SHA256: 7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062
Tags: exe
Infos:

Detection

AveMaria, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: JOB-in.line e.K. - New Order 56899707.exe Virustotal: Detection: 35% Perma Link
Source: JOB-in.line e.K. - New Order 56899707.exe ReversingLabs: Detection: 26%
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\gATZIsOK.exe ReversingLabs: Detection: 26%
Machine Learning detection for sample
Source: JOB-in.line e.K. - New Order 56899707.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\gATZIsOK.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack Avira: Label: TR/AD.MortyStealer.utbzg
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack Malware Configuration Extractor: AveMaria {"C2 url": "20.91.187.223", "port": 5707}

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000003.391271404.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.391610814.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.385551724.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 1700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 396, type: MEMORYSTR
Uses 32bit PE files
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2036735 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 20.91.187.223:5707 -> 192.168.2.6:49764
Source: Traffic Snort IDS: 2036734 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.6:49764 -> 20.91.187.223:5707
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 20.91.187.223
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 20.91.187.223 20.91.187.223
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49764 -> 20.91.187.223:5707
Source: unknown TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.388743797.0000000000C07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comldva
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.388743797.0000000000C07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, JOB-in.line e.K. - New Order 56899707.exe, 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Installs a raw input device (often for capturing keystrokes)
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: JOB-in.line e.K. - New Order 56899707.exe
Uses 32bit PE files
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000003.391271404.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000009.00000003.391610814.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000009.00000000.385551724.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Code function: 0_2_028DC364 0_2_028DC364
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Code function: 0_2_028DE720 0_2_028DE720
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Code function: 0_2_028DE730 0_2_028DE730
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Code function: 0_2_0B267960 0_2_0B267960
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Code function: 0_2_0B260006 0_2_0B260006
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Code function: 0_2_0B260040 0_2_0B260040
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Code function: 0_2_0B268FB8 0_2_0B268FB8
Sample file is different than original file name gathered from version info
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.397645200.0000000007420000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameFroor.dll4 vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.398166486.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.390360618.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFroor.dll4 vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392768105.0000000004301000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDoncepre.dll@ vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000000.344374528.000000000078E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameStaticIndexRangePartit.exe: vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.397407099.00000000072B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStaticIndexRan vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000009.00000002.615421806.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStaticIndexRangePartit.exe: vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe Binary or memory string: OriginalFilenameStaticIndexRangePartit.exe: vs JOB-in.line e.K. - New Order 56899707.exe
PE file contains strange resources
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gATZIsOK.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gATZIsOK.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JOB-in.line e.K. - New Order 56899707.exe Virustotal: Detection: 35%
Source: JOB-in.line e.K. - New Order 56899707.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File read: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Jump to behavior
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe "C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe"
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: C:\Users\user\AppData\Roaming\gATZIsOK.exe Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: C:\Users\user\AppData\Local\Temp\tmpF006.tmp Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.expl.evad.winEXE@9/8@0/1
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: JOB-in.line e.K. - New Order 56899707.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: JOB-in.line e.K. - New Order 56899707.exe, Lib_Mang_Sys/Member_Panel.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: gATZIsOK.exe.0.dr, Lib_Mang_Sys/Member_Panel.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.JOB-in.line e.K. - New Order 56899707.exe.6d0000.0.unpack, Lib_Mang_Sys/Member_Panel.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: JOB-in.line e.K. - New Order 56899707.exe, Lib_Mang_Sys/Member_Panel.cs .Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: gATZIsOK.exe.0.dr, Lib_Mang_Sys/Member_Panel.cs .Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.JOB-in.line e.K. - New Order 56899707.exe.6d0000.0.unpack, Lib_Mang_Sys/Member_Panel.cs .Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Code function: 0_2_028DD58B push 0000005Dh; retn 0004h 0_2_028DD5FD
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Code function: 0_2_028DBB31 push E004F9A9h; ret 0_2_028DBB3D
Binary contains a suspicious time stamp
Source: JOB-in.line e.K. - New Order 56899707.exe Static PE information: 0xD34074E5 [Fri Apr 24 00:40:05 2082 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.443954108514022
Source: initial sample Static PE information: section name: .text entropy: 7.443954108514022
Creates processes with suspicious names
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: \job-in.line e.k. - new order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: \job-in.line e.k. - new order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: \job-in.line e.k. - new order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: \job-in.line e.k. - new order 56899707.exe Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: \job-in.line e.k. - new order 56899707.exe Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: \job-in.line e.k. - new order 56899707.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File created: C:\Users\user\AppData\Roaming\gATZIsOK.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Contains functionality to hide user accounts
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe File opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 1700, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe TID: 2444 Thread sleep time: -45877s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe TID: 3956 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5808 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe TID: 3508 Thread sleep count: 60 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9161 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Thread delayed: delay time: 45877 Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Process created: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10 Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 1700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 396, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679145 Sample: JOB-in.line e.K. - New Orde... Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 13 other signatures 2->39 7 JOB-in.line e.K. - New Order 56899707.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\gATZIsOK.exe, PE32 7->23 dropped 25 C:\Users\...\gATZIsOK.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpF006.tmp, XML 7->27 dropped 29 JOB-in.line e.K. -...er 56899707.exe.log, ASCII 7->29 dropped 41 Adds a directory exclusion to Windows Defender 7->41 11 JOB-in.line e.K. - New Order 56899707.exe 3 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 20.91.187.223, 49764, 5707 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->31 43 Increases the number of concurrent connection per server for Internet Explorer 11->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->45 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
20.91.187.223
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true

Contacted URLs

Name Malicious Antivirus Detection Reputation
20.91.187.223 true
  • Avira URL Cloud: safe
 unknown