Edit tour

Windows Analysis Report
JOB-in.line e.K. - New Order 56899707.exe

Overview

General Information

Sample Name:	JOB-in.line e.K. - New Order 56899707.exe
Analysis ID:	679145
MD5:	9e8d620f00f7988a79ae5c1228f37899
SHA1:	27e5c643563bfe8dbccf7e26e9669c2cdde8e767
SHA256:	7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062
Tags:	exe
Infos:

Detection

AveMaria, UACMe

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected UACMe UAC Bypass tool

Yara detected AveMaria stealer

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Initial sample is a PE file and has a suspicious name

Increases the number of concurrent connection per server for Internet Explorer

Contains functionality to hide user accounts

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Creates processes with suspicious names

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

JOB-in.line e.K. - New Order 56899707.exe (PID: 1700 cmdline: "C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe" MD5: 9E8D620F00F7988A79AE5C1228F37899)

powershell.exe (PID: 5000 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 488 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

JOB-in.line e.K. - New Order 56899707.exe (PID: 396 cmdline: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe MD5: 9E8D620F00F7988A79AE5C1228F37899)

cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "20.91.187.223", "port": 5707}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000003.391271404.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xa20:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3828:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xa20:$c1: Elevation:Administrator!new: 0x3828:$c1: Elevation:Administrator!new:
00000009.00000003.391271404.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000009.00000003.391610814.0000000000C87000.00000004.00000020.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x1230:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1230:$c1: Elevation:Administrator!new:
00000009.00000003.391610814.0000000000C87000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000009.00000000.385551724.000000000054F000.00000040.00000400.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xdf0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xdf0:$c1: Elevation:Administrator!new:
00000009.00000000.385551724.000000000054F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x3230:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a78:$a2: SMTP Password 0xcb8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3138:$a5: for /F "usebackq tokens=*" %%A in (" 0x14a8:$a6: \Torch\User Data\Default\Login Data 0x2014:$a8: "os_crypt":{"encrypted_key":" 0x1940:$a10: \logins.json 0x1f8c:$a11: Accounts\Account.rec0 0x850:$a12: warzone160 0x2ee0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x31e8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x7bf0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1a30:$a2: SMTP Password 0x6438:$a2: SMTP Password 0xc70:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x5678:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x30f0:$a5: for /F "usebackq tokens=" %%A in (" 0x7af8:$a5: for /F "usebackq tokens=" %%A in (" 0x1460:$a6: \Torch\User Data\Default\Login Data 0x5e68:$a6: \Torch\User Data\Default\Login Data 0x1fcc:$a8: "os_crypt":{"encrypted_key":" 0x69d4:$a8: "os_crypt":{"encrypted_key":" 0x18f8:$a10: \logins.json 0x6300:$a10: \logins.json 0x1f44:$a11: Accounts\Account.rec0 0x694c:$a11: Accounts\Account.rec0 0x808:$a12: warzone160 0x5210:$a12: warzone160 0x2e98:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper 0x78a0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x39c10:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x56030:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x39c10:$c1: Elevation:Administrator!new: 0x56030:$c1: Elevation:Administrator!new:
00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x37050:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x53470:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x35898:$a2: SMTP Password 0x51cb8:$a2: SMTP Password 0x34ad8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x50ef8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x39c10:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x56030:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x36f58:$a5: for /F "usebackq tokens=" %%A in (" 0x53378:$a5: for /F "usebackq tokens=" %%A in (" 0x352c8:$a6: \Torch\User Data\Default\Login Data 0x516e8:$a6: \Torch\User Data\Default\Login Data 0x39d30:$a7: /n:%temp%\ellocnak.xml 0x56150:$a7: /n:%temp%\ellocnak.xml 0x35e34:$a8: "os_crypt":{"encrypted_key":" 0x52254:$a8: "os_crypt":{"encrypted_key":" 0x39d60:$a9: Hey I'm Admin 0x56180:$a9: Hey I'm Admin 0x35760:$a10: \logins.json 0x51b80:$a10: \logins.json 0x35dac:$a11: Accounts\Account.rec0
00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x9aad0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x9aad0:$c1: Elevation:Administrator!new:
00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x97ef8:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x96740:$a2: SMTP Password 0x95980:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x9aad0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x97e00:$a5: for /F "usebackq tokens=*" %%A in (" 0x96170:$a6: \Torch\User Data\Default\Login Data 0x9abf0:$a7: /n:%temp%\ellocnak.xml 0x96cdc:$a8: "os_crypt":{"encrypted_key":" 0x9ac20:$a9: Hey I'm Admin 0x96608:$a10: \logins.json 0x96c54:$a11: Accounts\Account.rec0 0x95518:$a12: warzone160 0x97ba8:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 1700	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 1700	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 1700	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 396	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x970:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1b78:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x970:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x1b78:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x970:$c1: Elevation:Administrator!new: 0x1b78:$c1: Elevation:Administrator!new:
9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xd80:$c1: Elevation:Administrator!new:
9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x2318:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x2318:$c1: Elevation:Administrator!new:
9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0xb18:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0xb18:$c1: Elevation:Administrator!new:
9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x456c8:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x456c8:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x456c8:$c1: Elevation:Administrator!new:
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x409a8:$a1: \Opera Software\Opera Stable\Login Data 0x40cd0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x40618:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x42b9d:$r1: Classes\Folder\shell\open\command 0x42bc0:$k1: DelegateExecute
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x425a4:$s1: RDPClip 0x42c8c:$s2: Grabber 0x427a0:$s3: Ave_Maria Stealer OpenSource 0x428a0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x425d6:$s5: @\cmd.exe 0x457e8:$s6: /n:%temp%\ellocnak.xml 0x45818:$s7: Hey I'm Admin 0x40110:$s8: warzone160
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x42af0:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x41338:$a2: SMTP Password 0x40578:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x456c8:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x429f8:$a5: for /F "usebackq tokens=*" %%A in (" 0x40d68:$a6: \Torch\User Data\Default\Login Data 0x457e8:$a7: /n:%temp%\ellocnak.xml 0x418d4:$a8: "os_crypt":{"encrypted_key":" 0x45818:$a9: Hey I'm Admin 0x41200:$a10: \logins.json 0x4184c:$a11: Accounts\Account.rec0 0x40110:$a12: warzone160 0x427a0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack	AveMaria_WarZone	unknown	unknown	0x42af0:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x428cc:$str2: MsgBox.exe 0x42b5c:$str4: \System32\cmd.exe 0x427a0:$str6: Ave_Maria 0x42038:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x41338:$str8: SMTP Password 0x40618:$str11: \Google\Chrome\User Data\Default\Login Data 0x42004:$str12: \sqlmap.dll 0x456c8:$str16: Elevation:Administrator!new 0x457e8:$str17: /n:%temp%
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x3947c:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x3947c:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x3947c:$c1: Elevation:Administrator!new:
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3475c:$a1: \Opera Software\Opera Stable\Login Data 0x34a84:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x343cc:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x36951:$r1: Classes\Folder\shell\open\command 0x36974:$k1: DelegateExecute
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x36358:$s1: RDPClip 0x36a40:$s2: Grabber 0x36554:$s3: Ave_Maria Stealer OpenSource 0x36654:$s4: \MidgetPorn\workspace\MsgBox.exe 0x3638a:$s5: @\cmd.exe 0x3959c:$s6: /n:%temp%\ellocnak.xml 0x395cc:$s7: Hey I'm Admin 0x33ec4:$s8: warzone160
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x368a4:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x350ec:$a2: SMTP Password 0x3432c:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x3947c:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x367ac:$a5: for /F "usebackq tokens=*" %%A in (" 0x34b1c:$a6: \Torch\User Data\Default\Login Data 0x3959c:$a7: /n:%temp%\ellocnak.xml 0x35688:$a8: "os_crypt":{"encrypted_key":" 0x395cc:$a9: Hey I'm Admin 0x34fb4:$a10: \logins.json 0x35600:$a11: Accounts\Account.rec0 0x33ec4:$a12: warzone160 0x36554:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack	AveMaria_WarZone	unknown	unknown	0x368a4:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x36680:$str2: MsgBox.exe 0x36910:$str4: \System32\cmd.exe 0x36554:$str6: Ave_Maria 0x35dec:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x350ec:$str8: SMTP Password 0x343cc:$str11: \Google\Chrome\User Data\Default\Login Data 0x35db8:$str12: \sqlmap.dll 0x3947c:$str16: Elevation:Administrator!new 0x3959c:$str17: /n:%temp%
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x17ff0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x17ff0:$c1: Elevation:Administrator!new:
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x138e8:$a1: \Opera Software\Opera Stable\Login Data 0x13c10:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13558:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x15add:$r1: Classes\Folder\shell\open\command 0x15b00:$k1: DelegateExecute
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x154e4:$s1: RDPClip 0x15bcc:$s2: Grabber 0x156e0:$s3: Ave_Maria Stealer OpenSource 0x157e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x15516:$s5: @\cmd.exe 0x18110:$s6: /n:%temp%\ellocnak.xml 0x18140:$s7: Hey I'm Admin 0x13050:$s8: warzone160
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x15a30:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14278:$a2: SMTP Password 0x134b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x17ff0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x15938:$a5: for /F "usebackq tokens=*" %%A in (" 0x13ca8:$a6: \Torch\User Data\Default\Login Data 0x18110:$a7: /n:%temp%\ellocnak.xml 0x14814:$a8: "os_crypt":{"encrypted_key":" 0x18140:$a9: Hey I'm Admin 0x14140:$a10: \logins.json 0x1478c:$a11: Accounts\Account.rec0 0x13050:$a12: warzone160 0x156e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	AveMaria_WarZone	unknown	unknown	0x15a30:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1580c:$str2: MsgBox.exe 0x15a9c:$str4: \System32\cmd.exe 0x156e0:$str6: Ave_Maria 0x14f78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14278:$str8: SMTP Password 0x13558:$str11: \Google\Chrome\User Data\Default\Login Data 0x14f44:$str12: \sqlmap.dll 0x17ff0:$str16: Elevation:Administrator!new 0x18110:$str17: /n:%temp%
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new:
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x167cc:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16116:$s5: @\cmd.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x13c50:$s8: warzone160
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=*" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0 0x13c50:$a12: warzone160 0x162e0:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp%
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x4c914:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x4c914:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x4c914:$c1: Elevation:Administrator!new:
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x47bf4:$a1: \Opera Software\Opera Stable\Login Data 0x47f1c:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x47864:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x49de9:$r1: Classes\Folder\shell\open\command 0x49e0c:$k1: DelegateExecute
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x497f0:$s1: RDPClip 0x49ed8:$s2: Grabber 0x499ec:$s3: Ave_Maria Stealer OpenSource 0x49aec:$s4: \MidgetPorn\workspace\MsgBox.exe 0x49822:$s5: @\cmd.exe 0x4ca34:$s6: /n:%temp%\ellocnak.xml 0x4ca64:$s7: Hey I'm Admin 0x4735c:$s8: warzone160
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x49d3c:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x48584:$a2: SMTP Password 0x477c4:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x4c914:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x49c44:$a5: for /F "usebackq tokens=*" %%A in (" 0x47fb4:$a6: \Torch\User Data\Default\Login Data 0x4ca34:$a7: /n:%temp%\ellocnak.xml 0x48b20:$a8: "os_crypt":{"encrypted_key":" 0x4ca64:$a9: Hey I'm Admin 0x4844c:$a10: \logins.json 0x48a98:$a11: Accounts\Account.rec0 0x4735c:$a12: warzone160 0x499ec:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x49d3c:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x49b18:$str2: MsgBox.exe 0x49da8:$str4: \System32\cmd.exe 0x499ec:$str6: Ave_Maria 0x49284:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x48584:$str8: SMTP Password 0x47864:$str11: \Google\Chrome\User Data\Default\Login Data 0x49250:$str12: \sqlmap.dll 0x4c914:$str16: Elevation:Administrator!new 0x4ca34:$str17: /n:%temp%
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x39210:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x55630:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x39210:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x55630:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x39210:$c1: Elevation:Administrator!new: 0x55630:$c1: Elevation:Administrator!new:
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x34508:$a1: \Opera Software\Opera Stable\Login Data 0x50928:$a1: \Opera Software\Opera Stable\Login Data 0x34830:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x50c50:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x34178:$a3: \Google\Chrome\User Data\Default\Login Data 0x50598:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x366fd:$r1: Classes\Folder\shell\open\command 0x52b1d:$r1: Classes\Folder\shell\open\command 0x36720:$k1: DelegateExecute 0x52b40:$k1: DelegateExecute
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x36104:$s1: RDPClip 0x52524:$s1: RDPClip 0x367ec:$s2: Grabber 0x52c0c:$s2: Grabber 0x36300:$s3: Ave_Maria Stealer OpenSource 0x52720:$s3: Ave_Maria Stealer OpenSource 0x36400:$s4: \MidgetPorn\workspace\MsgBox.exe 0x52820:$s4: \MidgetPorn\workspace\MsgBox.exe 0x36136:$s5: @\cmd.exe 0x52556:$s5: @\cmd.exe 0x39330:$s6: /n:%temp%\ellocnak.xml 0x55750:$s6: /n:%temp%\ellocnak.xml 0x39360:$s7: Hey I'm Admin 0x55780:$s7: Hey I'm Admin 0x33c70:$s8: warzone160 0x50090:$s8: warzone160
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x36650:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x52a70:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x34e98:$a2: SMTP Password 0x512b8:$a2: SMTP Password 0x340d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x504f8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x39210:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x55630:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x36558:$a5: for /F "usebackq tokens=" %%A in (" 0x52978:$a5: for /F "usebackq tokens=" %%A in (" 0x348c8:$a6: \Torch\User Data\Default\Login Data 0x50ce8:$a6: \Torch\User Data\Default\Login Data 0x39330:$a7: /n:%temp%\ellocnak.xml 0x55750:$a7: /n:%temp%\ellocnak.xml 0x35434:$a8: "os_crypt":{"encrypted_key":" 0x51854:$a8: "os_crypt":{"encrypted_key":" 0x39360:$a9: Hey I'm Admin 0x55780:$a9: Hey I'm Admin 0x34d60:$a10: \logins.json 0x51180:$a10: \logins.json 0x353ac:$a11: Accounts\Account.rec0
0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack	AveMaria_WarZone	unknown	unknown	0x36650:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x52a70:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x3642c:$str2: MsgBox.exe 0x5284c:$str2: MsgBox.exe 0x366bc:$str4: \System32\cmd.exe 0x52adc:$str4: \System32\cmd.exe 0x36300:$str6: Ave_Maria 0x52720:$str6: Ave_Maria 0x35b98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x51fb8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x34e98:$str8: SMTP Password 0x512b8:$str8: SMTP Password 0x34178:$str11: \Google\Chrome\User Data\Default\Login Data 0x50598:$str11: \Google\Chrome\User Data\Default\Login Data 0x35b64:$str12: \sqlmap.dll 0x51f84:$str12: \sqlmap.dll 0x39210:$str16: Elevation:Administrator!new 0x55630:$str16: Elevation:Administrator!new 0x39330:$str17: /n:%temp% 0x55750:$str17: /n:%temp%
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	Codoso_Gh0st_2	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x35610:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	Codoso_Gh0st_1	Detects Codoso APT Gh0st Malware	Florian Roth	0x191f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x35610:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x191f0:$c1: Elevation:Administrator!new: 0x35610:$c1: Elevation:Administrator!new:
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x144e8:$a1: \Opera Software\Opera Stable\Login Data 0x30908:$a1: \Opera Software\Opera Stable\Login Data 0x14810:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x30c30:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x14158:$a3: \Google\Chrome\User Data\Default\Login Data 0x30578:$a3: \Google\Chrome\User Data\Default\Login Data
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	JoeSecurity_UACMe	Yara detected UACMe UAC Bypass tool	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x166dd:$r1: Classes\Folder\shell\open\command 0x32afd:$r1: Classes\Folder\shell\open\command 0x16700:$k1: DelegateExecute 0x32b20:$k1: DelegateExecute
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	MALWARE_Win_WarzoneRAT	Detects AveMaria/WarzoneRAT	ditekSHen	0x160e4:$s1: RDPClip 0x32504:$s1: RDPClip 0x167cc:$s2: Grabber 0x32bec:$s2: Grabber 0x162e0:$s3: Ave_Maria Stealer OpenSource 0x32700:$s3: Ave_Maria Stealer OpenSource 0x163e0:$s4: \MidgetPorn\workspace\MsgBox.exe 0x32800:$s4: \MidgetPorn\workspace\MsgBox.exe 0x16116:$s5: @\cmd.exe 0x32536:$s5: @\cmd.exe 0x19310:$s6: /n:%temp%\ellocnak.xml 0x35730:$s6: /n:%temp%\ellocnak.xml 0x19340:$s7: Hey I'm Admin 0x35760:$s7: Hey I'm Admin 0x13c50:$s8: warzone160 0x30070:$s8: warzone160
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	Windows_Trojan_AveMaria_31d2bce9	unknown	unknown	0x16630:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x32a50:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x14e78:$a2: SMTP Password 0x31298:$a2: SMTP Password 0x140b8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x304d8:$a3: select signon_realm, origin_url, username_value, password_value from logins 0x191f0:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x35610:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09} 0x16538:$a5: for /F "usebackq tokens=" %%A in (" 0x32958:$a5: for /F "usebackq tokens=" %%A in (" 0x148a8:$a6: \Torch\User Data\Default\Login Data 0x30cc8:$a6: \Torch\User Data\Default\Login Data 0x19310:$a7: /n:%temp%\ellocnak.xml 0x35730:$a7: /n:%temp%\ellocnak.xml 0x15414:$a8: "os_crypt":{"encrypted_key":" 0x31834:$a8: "os_crypt":{"encrypted_key":" 0x19340:$a9: Hey I'm Admin 0x35760:$a9: Hey I'm Admin 0x14d40:$a10: \logins.json 0x31160:$a10: \logins.json 0x1538c:$a11: Accounts\Account.rec0
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack	AveMaria_WarZone	unknown	unknown	0x16630:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x32a50:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x1640c:$str2: MsgBox.exe 0x3282c:$str2: MsgBox.exe 0x1669c:$str4: \System32\cmd.exe 0x32abc:$str4: \System32\cmd.exe 0x162e0:$str6: Ave_Maria 0x32700:$str6: Ave_Maria 0x15b78:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x31f98:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x14e78:$str8: SMTP Password 0x31298:$str8: SMTP Password 0x14158:$str11: \Google\Chrome\User Data\Default\Login Data 0x30578:$str11: \Google\Chrome\User Data\Default\Login Data 0x15b44:$str12: \sqlmap.dll 0x31f64:$str12: \sqlmap.dll 0x191f0:$str16: Elevation:Administrator!new 0x35610:$str16: Elevation:Administrator!new 0x19310:$str17: /n:%temp% 0x35730:$str17: /n:%temp%
Click to see the 80 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) - Source IP: 20.91.187.223 - Destination IP: 192.168.2.6

Timestamp:	20.91.187.223192.168.2.65707497642036735 08/05/22-10:48:28.518524
SID:	2036735
Source Port:	5707
Destination Port:	49764
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin - Source IP: 192.168.2.6 - Destination IP: 20.91.187.223

Timestamp:	192.168.2.620.91.187.2234976457072036734 08/05/22-10:48:28.721248
SID:	2036734
Source Port:	49764
Destination Port:	5707
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: JOB-in.line e.K. - New Order 56899707.exe	Virustotal: Detection: 35%			Perma Link
Source: JOB-in.line e.K. - New Order 56899707.exe	ReversingLabs: Detection: 26%

Yara detected AveMaria stealer

Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\gATZIsOK.exe

ReversingLabs: Detection: 26%

Machine Learning detection for sample

Source: JOB-in.line e.K. - New Order 56899707.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gATZIsOK.exe

Joe Sandbox ML: detected

Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	Avira: Label: TR/AD.MortyStealer.utbzg
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	Avira: Label: TR/Redcap.ghjpt

Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack

Malware Configuration Extractor: AveMaria {"C2 url": "20.91.187.223", "port": 5707}

Exploits

Yara detected UACMe UAC Bypass tool

Source: Yara match	File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.391271404.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.391610814.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.385551724.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 1700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 396, type: MEMORYSTR

Source: JOB-in.line e.K. - New Order 56899707.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: JOB-in.line e.K. - New Order 56899707.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2036735 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 20.91.187.223:5707 -> 192.168.2.6:49764
Source: Traffic	Snort IDS: 2036734 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.6:49764 -> 20.91.187.223:5707

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 20.91.187.223

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: Joe Sandbox View

IP Address: 20.91.187.223 20.91.187.223

Source: global traffic

TCP traffic: 192.168.2.6:49764 -> 20.91.187.223:5707

Source: unknown	TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown	TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown	TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown	TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown	TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown	TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown	TCP traffic detected without corresponding DNS query: 20.91.187.223
Source: unknown	TCP traffic detected without corresponding DNS query: 20.91.187.223

Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.388743797.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comldva
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.388743797.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, JOB-in.line e.K. - New Order 56899707.exe, 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

E-Banking Fraud

Yara detected AveMaria stealer

Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: JOB-in.line e.K. - New Order 56899707.exe

Source: JOB-in.line e.K. - New Order 56899707.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c8aaa8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c874b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.3.JOB-in.line e.K. - New Order 56899707.exe.c89510.2.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000009.00000003.391271404.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000009.00000003.391610814.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000009.00000000.385551724.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Code function: 0_2_028DC364
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Code function: 0_2_028DE720
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Code function: 0_2_028DE730
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Code function: 0_2_0B267960
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Code function: 0_2_0B260006
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Code function: 0_2_0B260040
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Code function: 0_2_0B268FB8

Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.397645200.0000000007420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.398166486.000000000AFF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.390360618.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFroor.dll4 vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392768105.0000000004301000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000000.344374528.000000000078E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStaticIndexRangePartit.exe: vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.397407099.00000000072B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStaticIndexRan vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000009.00000002.615421806.0000000002D8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStaticIndexRangePartit.exe: vs JOB-in.line e.K. - New Order 56899707.exe
Source: JOB-in.line e.K. - New Order 56899707.exe	Binary or memory string: OriginalFilenameStaticIndexRangePartit.exe: vs JOB-in.line e.K. - New Order 56899707.exe

Source: JOB-in.line e.K. - New Order 56899707.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gATZIsOK.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: JOB-in.line e.K. - New Order 56899707.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gATZIsOK.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: JOB-in.line e.K. - New Order 56899707.exe	Virustotal: Detection: 35%
Source: JOB-in.line e.K. - New Order 56899707.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

File read: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Jump to behavior

Source: JOB-in.line e.K. - New Order 56899707.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe "C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe"
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

File created: C:\Users\user\AppData\Roaming\gATZIsOK.exe

Jump to behavior

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF006.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winEXE@9/8@0/1

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: JOB-in.line e.K. - New Order 56899707.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

File created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: JOB-in.line e.K. - New Order 56899707.exe, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: gATZIsOK.exe.0.dr, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.JOB-in.line e.K. - New Order 56899707.exe.6d0000.0.unpack, Lib_Mang_Sys/Member_Panel.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: JOB-in.line e.K. - New Order 56899707.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Directory created: C:\Program Files\Microsoft DN1

Jump to behavior

Source: JOB-in.line e.K. - New Order 56899707.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: JOB-in.line e.K. - New Order 56899707.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

.NET source code contains potential unpacker

Source: JOB-in.line e.K. - New Order 56899707.exe, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: gATZIsOK.exe.0.dr, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.JOB-in.line e.K. - New Order 56899707.exe.6d0000.0.unpack, Lib_Mang_Sys/Member_Panel.cs	.Net Code: DataReturn System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Code function: 0_2_028DD58B push 0000005Dh; retn 0004h
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Code function: 0_2_028DBB31 push E004F9A9h; ret

Source: JOB-in.line e.K. - New Order 56899707.exe

Static PE information: 0xD34074E5 [Fri Apr 24 00:40:05 2082 UTC]

Source: initial sample	Static PE information: section name: .text entropy: 7.443954108514022
Source: initial sample	Static PE information: section name: .text entropy: 7.443954108514022

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	File created: \job-in.line e.k. - new order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	File created: \job-in.line e.k. - new order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	File created: \job-in.line e.k. - new order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	File created: \job-in.line e.k. - new order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	File created: \job-in.line e.k. - new order 56899707.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	File created: \job-in.line e.k. - new order 56899707.exe

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

File created: C:\Users\user\AppData\Roaming\gATZIsOK.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp

Hooking and other Techniques for Hiding and Protection

Contains functionality to hide user accounts

Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

File opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 1700, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe TID: 2444	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe TID: 3956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5808	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe TID: 3508	Thread sleep count: 60 > 30

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9161

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Process created: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Increases the number of concurrent connection per server for Internet Explorer

Source: C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Jump to behavior

Stealing of Sensitive Information

Yara detected AveMaria stealer

Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 1700, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JOB-in.line e.K. - New Order 56899707.exe PID: 396, type: MEMORYSTR

Remote Access Functionality

Yara detected AveMaria stealer

Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d6b408.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d77654.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.2d641bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45c4a00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	3 Masquerading	11 Input Capture	1 Query Registry	Remote Services	11 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Endpoint Denial of Service
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Hidden Users	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Obfuscated Files or Information	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	13 Software Packing	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 Timestomp	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
JOB-in.line e.K. - New Order 56899707.exe	36%	Virustotal		Browse
JOB-in.line e.K. - New Order 56899707.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.LokiBot
JOB-in.line e.K. - New Order 56899707.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gATZIsOK.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\gATZIsOK.exe	26%	ReversingLabs	ByteCode-MSIL.Trojan.LokiBot

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.JOB-in.line e.K. - New Order 56899707.exe.45e4a20.8.unpack	100%	Avira	TR/AD.MortyStealer.utbzg		Download File
9.0.JOB-in.line e.K. - New Order 56899707.exe.400000.0.unpack	100%	Avira	TR/Redcap.ghjpt		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
20.91.187.223	0%	Avira URL Cloud	safe
http://www.fontbureau.comldva	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
20.91.187.223	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comldva	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.388743797.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comm	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.388743797.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/syohex/java-simple-mine-sweeperC:	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, JOB-in.line e.K. - New Order 56899707.exe, 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	JOB-in.line e.K. - New Order 56899707.exe, 00000000.00000002.396315425.0000000006B72000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.91.187.223	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679145
Start date and time: 05/08/202210:47:06	2022-08-05 10:47:06 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	JOB-in.line e.K. - New Order 56899707.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.expl.evad.winEXE@9/8@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 90% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:48:14	API Interceptor	1x Sleep call for process: JOB-in.line e.K. - New Order 56899707.exe modified
10:48:21	API Interceptor	40x Sleep call for process: powershell.exe modified

Process:	C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1750
Entropy (8bit):	5.3375092442007315
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHYHKlEHUzvAHj:Pq5qXEwCYqhQnoPtIxHeqzN4qm0z4D
MD5:	92FEE17DD9A6925BA2D1E5EF2CD6E5F2
SHA1:	4614AE0DD188A0FE1983C5A8D82A69AF5BD13039
SHA-256:	67351D6FA9F9E11FD21E72581AFDC8E63A284A6080D99A6390641FC11C667235
SHA-512:	C599C633D288B845A7FAA31FC0FA86EAB8585CC2C515D68CA0DFC6AB16B27515A5D729EF535109B2CDE29FF3CF4CF725F4F920858501A2421FC7D76C804F2AA7
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22272
Entropy (8bit):	5.601254883343104
Encrypted:	false
SSDEEP:	384:BtCDa0e8ndTFv2qYSYJnsjsh77Y9g9SJ3xa1BMrm7Z1AV7xJZ664I+iyY:WdTd3YpJsohf9cBa4aA
MD5:	06205E11A9DF526F2FF7C403468FAEE6
SHA1:	904AA9587BD6994C944D823093E8F048B79A09EE
SHA-256:	0B6176302F9885786D720731275335DA302FE07154377C9D17DC0AADB50F420C
SHA-512:	CAAF33F6012E680E9F8D6C251459B24DE7A40DAE4DD1E7BB44DC126B9C77A58B38ED0B4BFAC41F40CA2A4B279821255E674671D4B38DEFC90BCA14B589A40CCA
Malicious:	false
Reputation:	low
Preview:	@...e...........y.........R.U.I.(...@.c..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evf3gbiu.whq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkbfubpc.mhm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmpF006.tmp

Download File

Process:	C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1607
Entropy (8bit):	5.115469344505131
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL6xvn:cgea6YrFdOFzOzN33ODOiDdKrsuT6v
MD5:	72EF6E87E7FD36C98FB3FCBDC5E917B1
SHA1:	A17031F96BEB591193C1DCE943DD756F10E10248
SHA-256:	300C48EBA80425F4A8FFFC85462E37CAFE816A8B8498DBFA4A0991F86C307419
SHA-512:	3D60068AD6982944419549B32D7FEC6F72A00DE1FA6688E72D3FE5936C58AF82C87B63692A391C4B89F058D6354D5A3493CACB285E1A5D681E8DE7FEB5C4E041
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab

C:\Users\user\AppData\Roaming\gATZIsOK.exe

Download File

Process:	C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	862720
Entropy (8bit):	7.020056015678397
Encrypted:	false
SSDEEP:	12288:2k2oQCM0fSNakWL9Kh+gwv5ysdG5Ggdy/hkKJg6SKlpxw8r:xTSWLYh+geG5Gs2TnLlpxw8
MD5:	9E8D620F00F7988A79AE5C1228F37899
SHA1:	27E5C643563BFE8DBCCF7E26E9669C2CDDE8E767
SHA-256:	7907827BA244123DDC19A986203A2DF7F7B9E7D984FF8EFE6715372E2F431062
SHA-512:	39CD5593B238C32E0644448F6E1845760CE1A56F551A97217F2EA72C7AD72725564A2B568166B84712B12B5949A0146D7C355B4756E6985311E0451F5D09F2B0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....t@...............0.............v.... ........@.. ....................................@.................................$...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............(..............@..B................X.......H.......@....P......$.......8..............................................}.....(.......(......{.....o.........0..w........r...p..s.......~O.....o.....r$..p..B....(.......s........o......s..........o......{......o........&........,..o...............Tc..........]k.......0..:.........o ........,+..{....o!...o"....o#...o$....B......(.........0..n........r...p..s........o.....r...p..B...(%.......(&.....B...('......s......o(.....r...p()...&...&........,..o................KZ..

C:\Users\user\AppData\Roaming\gATZIsOK.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Documents\20220805\PowerShell_transcript.065367.PYT_AdW3.20220805104819.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5811
Entropy (8bit):	5.370569364110241
Encrypted:	false
SSDEEP:	96:BZETLJNUc3qDo1ZjwZ+TLJNUc3qDo1Znf5njZ2TLJNUc3qDo1ZkeXXiZB:HAKIt
MD5:	2A825DC0186F01C76867E670AED74AF9
SHA1:	52C519B2EE900428B8D62828224132F13318020D
SHA-256:	3BFA4373B1F437FDA466ED109927F63B11806415ED8F9AA8A5D2076D87E5C769
SHA-512:	D9EAE585E8CBBDCB0243FAB70F45A5E65395AF4CC65B57727FFB988044A269C524AF80BA69BC3A07884E80103C47128EE8CD5C2FC920D47B4C3CA507E6250717
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220805104820..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 065367 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gATZIsOK.exe..Process ID: 5000..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220805104820..******************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\gATZIsOK.exe..********************..Windows PowerShell transcript start..Start time: 20220805105300..Username: computer\user..RunAs User: DESKTOP-7

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.020056015678397
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	JOB-in.line e.K. - New Order 56899707.exe
File size:	862720
MD5:	9e8d620f00f7988a79ae5c1228f37899
SHA1:	27e5c643563bfe8dbccf7e26e9669c2cdde8e767
SHA256:	7907827ba244123ddc19a986203a2df7f7b9e7d984ff8efe6715372e2f431062
SHA512:	39cd5593b238c32e0644448f6e1845760ce1a56f551a97217f2ea72c7ad72725564a2b568166b84712b12b5949a0146d7c355b4756e6985311e0451f5d09f2b0
SSDEEP:	12288:2k2oQCM0fSNakWL9Kh+gwv5ysdG5Ggdy/hkKJg6SKlpxw8r:xTSWLYh+geG5Gs2TnLlpxw8
TLSH:	DA05CF41B6BA9A12C5740FB0DBA181500F34AD1B7D71F6CEE85835A63B71BB78B106CE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....t@...............0.............v.... ........@.. ....................................@................................

File Icon


Icon Hash:	30f0f8e4e0e0e060

Static PE Info

General

Entrypoint:	0x4ac276
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD34074E5 [Fri Apr 24 00:40:05 2082 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
dec eax
xor al, 46h
pop edx
push esp
inc edi
inc ebx
pop eax
cmp byte ptr [edi], dh
pop eax
xor al, 38h
inc edx
inc esi
aaa
xor al, 47h
inc edx
xor eax, 00003838h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xac224	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x28008	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xac208	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaa294	0xaa400	False	0.8028577000734214	data	7.443954108514022	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x28008	0x28200	False	0.1154047410436137	data	2.9852524877320703	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xae280	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON	0xbeaa8	0x94a8	data
RT_ICON	0xc7f50	0x5488	data
RT_ICON	0xcd3d8	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON	0xd1600	0x25a8	data
RT_ICON	0xd3ba8	0x10a8	data
RT_ICON	0xd4c50	0x988	data
RT_ICON	0xd55d8	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xd5a40	0x76	data
RT_VERSION	0xd5ab8	0x364	data
RT_MANIFEST	0xd5e1c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
20.91.187.223192.168.2.65707497642036735 08/05/22-10:48:28.518524	TCP	2036735	ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)	5707	49764	20.91.187.223	192.168.2.6
192.168.2.620.91.187.2234976457072036734 08/05/22-10:48:28.721248	TCP	2036734	ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin	49764	5707	192.168.2.6	20.91.187.223

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 10:48:28.439207077 CEST	49764	5707	192.168.2.6	20.91.187.223
Aug 5, 2022 10:48:28.478080034 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:48:28.478790045 CEST	49764	5707	192.168.2.6	20.91.187.223
Aug 5, 2022 10:48:28.518523932 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:48:28.721247911 CEST	49764	5707	192.168.2.6	20.91.187.223
Aug 5, 2022 10:48:28.810730934 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:48:48.518804073 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:48:48.519543886 CEST	49764	5707	192.168.2.6	20.91.187.223
Aug 5, 2022 10:48:48.607975960 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:49:08.521075010 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:49:08.524054050 CEST	49764	5707	192.168.2.6	20.91.187.223
Aug 5, 2022 10:49:08.603039980 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:49:28.520616055 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:49:28.521457911 CEST	49764	5707	192.168.2.6	20.91.187.223
Aug 5, 2022 10:49:28.605835915 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:49:48.533683062 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:49:48.534974098 CEST	49764	5707	192.168.2.6	20.91.187.223
Aug 5, 2022 10:49:48.622869015 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:50:08.534110069 CEST	5707	49764	20.91.187.223	192.168.2.6
Aug 5, 2022 10:50:08.534837008 CEST	49764	5707	192.168.2.6	20.91.187.223
Aug 5, 2022 10:50:08.623394966 CEST	5707	49764	20.91.187.223	192.168.2.6

Target ID:	0
Start time:	10:48:05
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe"
Imagebase:	0x6d0000
File size:	862720 bytes
MD5 hash:	9E8D620F00F7988A79AE5C1228F37899
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.394220155.00000000045C4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.392150523.0000000002D16000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: powershell.exePID: 5000, Parent PID: 1700

General

Target ID:	5
Start time:	10:48:17
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gATZIsOK.exe
Imagebase:	0xf10000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 5064, Parent PID: 5000

General

Target ID:	6
Start time:	10:48:17
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 488, Parent PID: 1700

General

Target ID:	7
Start time:	10:48:18
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gATZIsOK" /XML "C:\Users\user\AppData\Local\Temp\tmpF006.tmp
Imagebase:	0x10d0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 4436, Parent PID: 488

General

Target ID:	8
Start time:	10:48:20
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: JOB-in.line e.K. - New Order 56899707.exePID: 396, Parent PID: 1700

General

Target ID:	9
Start time:	10:48:22
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\JOB-in.line e.K. - New Order 56899707.exe
Imagebase:	0x5e0000
File size:	862720 bytes
MD5 hash:	9E8D620F00F7988A79AE5C1228F37899
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000009.00000003.391271404.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000009.00000003.391271404.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000009.00000003.391610814.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000009.00000003.391610814.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000009.00000000.385551724.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000009.00000000.385551724.000000000054F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000009.00000000.384273881.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000009.00000003.391249495.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JOB-in.line e.K. - New Order 56899707.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: AveMaria

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JOB-in.line e.K. - New Order 56899707.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evf3gbiu.whq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkbfubpc.mhm.ps1

C:\Users\user\AppData\Local\Temp\tmpF006.tmp

C:\Users\user\AppData\Roaming\gATZIsOK.exe

C:\Users\user\AppData\Roaming\gATZIsOK.exe:Zone.Identifier

C:\Users\user\Documents\20220805\PowerShell_transcript.065367.PYT_AdW3.20220805104819.txt

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
JOB-in.line e.K. - New Order 56899707.exe

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposesand to support other malicious activities, including distraction, hacktivism, and extortion.
Tactics:	Impact
Data Sources:	Netflow/Enclave netflow, Network device logs, Network intrusion detection system, Network protocol analysis, SSL/TLS inspection, Web application firewall logs, Web logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre