Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
Analysis ID:753413
MD5:2015410bb46bda0bd98be49f2ca03e00
SHA1:f500da9df562378cd0565485489321d59fa1699c
SHA256:c36284bc37b2aaf39d2e911ef97aac1fa583ca30d90f2cd006635f8f5bf0d7e1
Tags:AveMariaRATexe
Infos:

Detection

AveMaria, UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe (PID: 5264 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe MD5: 2015410BB46BDA0BD98BE49F2CA03E00)
    • powershell.exe (PID: 5208 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5220 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • hAwKqJPm.exe (PID: 868 cmdline: C:\Users\user\AppData\Roaming\hAwKqJPm.exe MD5: 2015410BB46BDA0BD98BE49F2CA03E00)
    • schtasks.exe (PID: 3600 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp9691.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • hAwKqJPm.exe (PID: 1976 cmdline: C:\Users\user\AppData\Roaming\hAwKqJPm.exe MD5: 2015410BB46BDA0BD98BE49F2CA03E00)
  • cleanup

Malware Configuration

Threatname: AveMaria

{"C2 url": "leekong.duckdns.org", "port": 6640}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
  • 0x97f20:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
  • 0x97f20:$c1: Elevation:Administrator!new:
00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
    00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
        00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_AveMaria_31d2bce9unknownunknown
        • 0x94678:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
        • 0x92edc:$a2: SMTP Password
        • 0x91aa8:$a3: select signon_realm, origin_url, username_value, password_value from logins
        • 0x97f20:$a4: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x94568:$a5: for /F "usebackq tokens=*" %%A in ("
        • 0x92768:$a6: \Torch\User Data\Default\Login Data
        • 0x98040:$a7: /n:%temp%\ellocnak.xml
        • 0x98070:$a9: Hey I'm Admin
        • 0x92cb4:$a10: \logins.json
        • 0x92dbc:$a10: \logins.json
        • 0x936a0:$a11: Accounts\Account.rec0
        • 0x94330:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
        Click to see the 44 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x2c1f0:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
        • 0x2c1f0:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
        • 0x2c1f0:$c1: Elevation:Administrator!new:
        6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
        • 0x266e0:$a1: \Opera Software\Opera Stable\Login Data
        • 0x269e0:$a2: \Comodo\Dragon\User Data\Default\Login Data
        • 0x261d8:$a3: \Google\Chrome\User Data\Default\Login Data
        6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
          6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 212 entries

            Sigma Signatures

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, ParentProcessId: 5264, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp, ProcessId: 5220, ProcessName: schtasks.exe

            Snort Signatures

            Timestamp:103.150.8.47192.168.2.36640496912038897 11/24/22-19:30:17.744742
            SID:2038897
            Source Port:6640
            Destination Port:49691
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.150.8.474969166402851946 11/24/22-19:31:57.790282
            SID:2851946
            Source Port:49691
            Destination Port:6640
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:103.150.8.47192.168.2.36640496912851945 11/24/22-19:31:57.787821
            SID:2851945
            Source Port:6640
            Destination Port:49691
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:103.150.8.47192.168.2.36640496912851933 11/24/22-19:30:18.197244
            SID:2851933
            Source Port:6640
            Destination Port:49691
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.150.8.474969166402852357 11/24/22-19:30:17.889863
            SID:2852357
            Source Port:49691
            Destination Port:6640
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:103.150.8.47192.168.2.36640496912852356 11/24/22-19:31:37.787359
            SID:2852356
            Source Port:6640
            Destination Port:49691
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:103.150.8.47192.168.2.36640496912851895 11/24/22-19:30:17.744742
            SID:2851895
            Source Port:6640
            Destination Port:49691
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeReversingLabs: Detection: 19%
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df8cd0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584, type: MEMORYSTR
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeReversingLabs: Detection: 19%
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeJoe Sandbox ML: detected
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpackAvira: Label: TR/Redcap.ghjpt
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpackAvira: Label: TR/Downloader.Gen
            Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AveMaria {"C2 url": "leekong.duckdns.org", "port": 6640}

            Exploits

            barindex
            Yara detected UACMe UAC Bypass tool
            Source: Yara matchFile source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.464c000.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.268913110.0000000000562000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.279119713.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584, type: MEMORYSTR
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2038897 ET TROJAN Warzone RAT Response (Inbound) 103.150.8.47:6640 -> 192.168.2.3:49691
            Source: TrafficSnort IDS: 2852356 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 103.150.8.47:6640 -> 192.168.2.3:49691
            Source: TrafficSnort IDS: 2851895 ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 103.150.8.47:6640 -> 192.168.2.3:49691
            Source: TrafficSnort IDS: 2852357 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.3:49691 -> 103.150.8.47:6640
            Source: TrafficSnort IDS: 2851933 ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsCommand 103.150.8.47:6640 -> 192.168.2.3:49691
            Source: TrafficSnort IDS: 2851945 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 103.150.8.47:6640 -> 192.168.2.3:49691
            Source: TrafficSnort IDS: 2851946 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 192.168.2.3:49691 -> 103.150.8.47:6640
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: leekong.duckdns.org
            Uses dynamic DNS services
            Source: unknownDNS query: name: leekong.duckdns.org
            Source: Joe Sandbox ViewASN Name: XTOM-AS-JPxTomJP XTOM-AS-JPxTomJP
            Source: global trafficTCP traffic: 192.168.2.3:49691 -> 103.150.8.47:6640
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244875435.0000000006216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244541126.0000000006233000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244510338.0000000006233000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244485601.0000000006232000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244567187.0000000006233000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244597426.0000000006233000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wikipedia
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246736589.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246673230.0000000006217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersiva
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF2
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250009805.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comK
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254614525.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.288947142.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254731944.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254614525.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.288947142.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254731944.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceco
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomF2
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250009805.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250009805.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgritog
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comiced
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254614525.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.288947142.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254731944.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comionm
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlicr
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.251108759.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comn
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.251108759.000000000621C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.251222842.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comonyd
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comx
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246129356.0000000006218000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246006407.0000000006217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246180301.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246129356.0000000006218000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnG
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246180301.0000000006217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246006407.0000000006217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnion
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/9
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-d
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ww.mK
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245634926.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247567253.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244950903.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245165040.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244885604.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244712367.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247480222.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244827108.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244764143.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245711171.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244742234.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245899283.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245260378.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246660475.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245075024.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246297100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247170656.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245317017.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247119623.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245431681.000000000622B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245634926.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247567253.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244950903.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245165040.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244885604.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247480222.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244827108.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244764143.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245711171.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245899283.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245260378.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246660475.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245075024.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246297100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247170656.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245317017.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247119623.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245431681.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246576079.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244800921.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246100788.000000000622B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comG
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245634926.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247567253.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244950903.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245165040.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244885604.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247480222.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244827108.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244764143.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245711171.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245899283.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245260378.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246660475.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245075024.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246297100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247170656.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245317017.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247119623.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245431681.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246576079.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244800921.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246100788.000000000622B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comegQ
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248060428.0000000006245000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248114380.0000000006244000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248094904.0000000006246000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com-s
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279232900.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper-instInitWindows
            Source: unknownDNS traffic detected: queries for: leekong.duckdns.org
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputData

            E-Banking Fraud

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df8cd0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects SystemBC Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.498f1a0.13.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de6d90.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.464c000.10.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
            Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000006.00000000.268913110.0000000000562000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000006.00000003.279119713.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
            Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeCode function: 0_2_0325C164
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeCode function: 0_2_0325E5A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeCode function: 0_2_0325E5B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeCode function: 0_2_07CE0040
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeCode function: 0_2_07CE0037
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeCode function: 0_2_094C0040
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeCode function: 5_2_04D2E5B0
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeCode function: 5_2_04D2E5A0
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeCode function: 5_2_04D2C164
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeCode function: 5_2_08230006
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeCode function: 5_2_08230040
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000000.241559617.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNvAX.exe8 vs SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.290690250.0000000007B30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeBinary or memory string: OriginalFilenameNvAX.exe8 vs SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: hAwKqJPm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeReversingLabs: Detection: 19%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeJump to behavior
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe C:\Users\user\AppData\Roaming\hAwKqJPm.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp9691.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe C:\Users\user\AppData\Roaming\hAwKqJPm.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp9691.tmp
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe C:\Users\user\AppData\Roaming\hAwKqJPm.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile created: C:\Users\user\AppData\Roaming\hAwKqJPm.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile created: C:\Users\user\AppData\Local\Temp\tmp58FB.tmpJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.expl.evad.winEXE@15/9@1/1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1832:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_01
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeMutant created: \Sessions\1\BaseNamedObjects\bAWcTXuCgNjR
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_01
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, MIllionaire/NewQuestion.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: hAwKqJPm.exe.0.dr, MIllionaire/NewQuestion.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.ed0000.0.unpack, MIllionaire/NewQuestion.cs.Net Code: InitializeComponent System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeCode function: 0_2_094C35F7 push edi; retf
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeCode function: 5_2_0909249D push FFFFFF8Bh; iretd
            Source: initial sampleStatic PE information: section name: .text entropy: 7.699539405299492
            Source: initial sampleStatic PE information: section name: .text entropy: 7.699539405299492
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile created: C:\Users\user\AppData\Roaming\hAwKqJPm.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp

            Hooking and other Techniques for Hiding and Protection

            barindex
            Contains functionality to hide user accounts
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279232900.0000000000DF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279232900.0000000000DF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ed_key":""}DPAPITermService%ProgramFiles%%windir%\System32%ProgramW6432%%ProgramFiles%\Microsoft DN1\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dll\sqlmap.dllrudprpdprudpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListrpdpSeDebugPrivilege%SystemRoot%\System32\termsrv.dllrudprpdpSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDll127.0.0.1SYSTEM\CurrentControlSet\Services\TermServiceImagePathSYSTEM\CurrentControlSet\Services\TermService\Parameterssvchost.exesvchost.exe -kServiceDllCertPropSvcSessionEnvServicesActiveEnableConcurrentSessionsSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllAllowMultipleTSSessionsNameSYSTEM\CurrentControlSet\Control\Terminal ServerRDPClipTypeSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonTypeSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsServicesActiveServicesActiveServicesActive
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeFile opened: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe:Zone.Identifier read attributes | delete
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe TID: 5280Thread sleep time: -42186s >= -30000s
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe TID: 5416Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2572Thread sleep time: -6456360425798339s >= -30000s
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe TID: 4632Thread sleep time: -42186s >= -30000s
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exe TID: 2820Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9291
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeThread delayed: delay time: 42186
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeThread delayed: delay time: 42186
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeThread delayed: delay time: 922337203685477
            Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
            Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: hAwKqJPm.exe, 00000013.00000003.303113348.0000000001161000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
            Source: hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeMemory written: C:\Users\user\AppData\Roaming\hAwKqJPm.exe base: 400000 value starts with: 4D5A
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp9691.tmp
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeProcess created: C:\Users\user\AppData\Roaming\hAwKqJPm.exe C:\Users\user\AppData\Roaming\hAwKqJPm.exe
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000002.510490820.0000000000DFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000002.510490820.0000000000DFF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeQueries volume information: C:\Users\user\AppData\Roaming\hAwKqJPm.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\hAwKqJPm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Increases the number of concurrent connection per server for Internet Explorer
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df8cd0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584, type: MEMORYSTR
            Source: Yara matchFile source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected AveMaria stealer
            Source: Yara matchFile source: 6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df8cd0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de57f8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.48f8910.14.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.354ef04.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.3632fb0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.363a1fc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bb4ad0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2bad884.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.df6fe8.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4963d30.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.hAwKqJPm.exe.2afecbc.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.4620b90.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.45d0b70.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5264, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: hAwKqJPm.exe PID: 868, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe PID: 5584, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Scheduled Task/Job            		1
            Scheduled Task/Job            		112
            Process Injection            		3
            Masquerading            		11
            Input Capture            		21
            Security Software Discovery            		Remote Services11
            Input Capture            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
            Endpoint Denial of Service
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)112
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer21
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Hidden Files and Directories            		LSA Secrets1
            Remote System Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Hidden Users            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items2
            Obfuscated Files or Information            		DCSync12
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job13
            Software Packing            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 753413 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 10 other signatures 2->47 7 SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe 7 2->7         started        11 hAwKqJPm.exe 5 2->11         started        process3 file4 31 C:\Users\user\AppData\Roaming\hAwKqJPm.exe, PE32 7->31 dropped 33 C:\Users\...\hAwKqJPm.exe:Zone.Identifier, ASCII 7->33 dropped 35 C:\Users\user\AppData\Local\...\tmp58FB.tmp, XML 7->35 dropped 37 SecuriteInfo.com.W....1041.15454.exe.log, ASCII 7->37 dropped 49 Uses schtasks.exe or at.exe to add and modify task schedules 7->49 51 Adds a directory exclusion to Windows Defender 7->51 53 Injects a PE file into a foreign processes 7->53 13 SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe 3 2 7->13         started        17 powershell.exe 21 7->17         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 21 schtasks.exe 1 11->21         started        23 hAwKqJPm.exe 1 11->23         started        signatures5 process6 dnsIp7 39 leekong.duckdns.org 103.150.8.47, 49691, 6640 XTOM-AS-JPxTomJP unknown 13->39 59 Increases the number of concurrent connection per server for Internet Explorer 13->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->61 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        signatures8 process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe20%ReversingLabs
            SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\hAwKqJPm.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\hAwKqJPm.exe20%ReversingLabs

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            6.0.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.400000.0.unpack100%AviraTR/Redcap.ghjptDownload File
            6.3.SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.de8600.2.unpack100%AviraTR/Downloader.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cnX0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/a-d0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.founder.com.cn/cnG0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/90%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
            http://www.fontbureau.comonyd0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/s_tr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://en.wikipedia0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.coma0%URL Reputationsafe
            http://www.fontbureau.comd0%URL Reputationsafe
            http://en.w0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.comionm0%URL Reputationsafe
            http://www.fontbureau.comn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.comx0%URL Reputationsafe
            leekong.duckdns.org0%Avira URL Cloudsafe
            http://www.fontbureau.comF20%Avira URL Cloudsafe
            http://www.fontbureau.comceco0%Avira URL Cloudsafe
            http://www.fontbureau.comlicr0%Avira URL Cloudsafe
            http://www.sajatypeworks.comG0%Avira URL Cloudsafe
            http://www.fontbureau.comK0%Avira URL Cloudsafe
            http://www.fontbureau.comiced0%Avira URL Cloudsafe
            http://www.fontbureau.comcomF20%Avira URL Cloudsafe
            http://www.fontbureau.comgritog0%Avira URL Cloudsafe
            http://www.founder.com.cn/cnion0%Avira URL Cloudsafe
            http://www.sakkal.com-s0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/ww.mK0%Avira URL Cloudsafe
            http://www.sajatypeworks.comegQ0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            leekong.duckdns.org
            		103.150.8.47
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              leekong.duckdns.orgtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cnXSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246180301.0000000006217000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/a-dSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comcecoSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254614525.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.288947142.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254731944.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designersSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.goodfont.co.krSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersivaSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.founder.com.cn/cnGSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246180301.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246129356.0000000006218000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comGSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245634926.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247567253.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244950903.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245165040.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244885604.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247480222.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244827108.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244764143.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245711171.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245899283.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245260378.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246660475.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245075024.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246297100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247170656.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245317017.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247119623.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245431681.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246576079.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244800921.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246100788.000000000622B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245634926.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247567253.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244950903.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245165040.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244885604.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244712367.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247480222.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244827108.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244764143.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245711171.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244742234.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245899283.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245260378.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246660475.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245075024.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246297100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247170656.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245317017.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247119623.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245431681.000000000622B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/9SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comF2SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/2SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comonydSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.251108759.000000000621C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.251222842.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp//SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://github.com/syohex/java-simple-mine-sweeper-instInitWindowsSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279232900.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/Y0SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/s_trSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fonts.comSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.sandoll.co.krSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comlicrSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, hAwKqJPm.exe, 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sakkal.comSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comicedSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246736589.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246673230.0000000006217000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comKSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250009805.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comcomF2SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.comgritogSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250009805.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://en.wikipediaSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244541126.0000000006233000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244510338.0000000006233000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244485601.0000000006232000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244567187.0000000006233000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244597426.0000000006233000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comaSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254614525.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.288947142.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254219136.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254731944.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comdSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250009805.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://en.wSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244875435.0000000006216000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cnionSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246006407.0000000006217000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sakkal.com-sSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248060428.0000000006245000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248114380.0000000006244000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248094904.0000000006246000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cnSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246129356.0000000006218000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246006407.0000000006217000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/ww.mKSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sajatypeworks.comegQSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245634926.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247567253.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244950903.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245165040.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244885604.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247480222.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244827108.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244764143.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245711171.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245899283.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245260378.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246660475.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245075024.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246297100.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247170656.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245317017.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247119623.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.245431681.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246576079.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.244800921.000000000622B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.246100788.000000000622B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250076896.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comionmSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254614525.0000000006217000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.288947142.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.254731944.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comnSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.251108759.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.247494081.000000000621B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248068026.000000000621D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.248125653.000000000621D000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000002.289129685.0000000007422000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comxSecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250362269.000000000621E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe, 00000000.00000003.250306044.000000000621C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          103.150.8.47
                                          		leekong.duckdns.orgunknown
                                          		4785XTOM-AS-JPxTomJPtrue

                                          General Information

                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                          Analysis ID:753413
                                          Start date and time:2022-11-24 19:29:07 +01:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 7m 36s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:22
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.phis.troj.expl.evad.winEXE@15/9@1/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 89%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, ctldl.windowsupdate.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          19:30:05API Interceptor2x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe modified
                                          19:30:09API Interceptor33x Sleep call for process: powershell.exe modified
                                          19:30:10Task SchedulerRun new task: hAwKqJPm path: C:\Users\user\AppData\Roaming\hAwKqJPm.exe
                                          19:30:21API Interceptor2x Sleep call for process: hAwKqJPm.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hAwKqJPm.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\hAwKqJPm.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):22016
                                          Entropy (8bit):5.598831434263491
                                          Encrypted:false
                                          SSDEEP:384:2tCR3kGlTe9ly6uP4HyNB73USBxnejibiJ9g5SJ3uyC1+m021AVrdACsf0A+izYb:zVyy/PtBzU4xeuP5cuCXFb
                                          MD5:4948D58E4C9B37FFC0BFA376FB43E44A
                                          SHA1:9359741CDD6E3D4F6BA91CAD50DBEAFDFE4257E0
                                          SHA-256:5938DFEEB96742412A15B0D54333F7EAD01178A31ED4E1197414E3F98FF1C262
                                          SHA-512:0A41A2FB6953F8BB43012E40C76D9D45DD8468D3608C032D782AD273798BC5BEB28F3B38E0B33119D432CBF34B518488ABA335A3D47FC2F033B2925B3AA28546
                                          Malicious:false
                                          Preview:@...e...........7...................7................@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rs2uu4tt.g22.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zg3r1ixe.pyh.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:very short file (no magic)
                                          Category:dropped
                                          Size (bytes):1
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3:U:U
                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                          Malicious:false
                                          Preview:1

                                          C:\Users\user\AppData\Local\Temp\tmp58FB.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1595
                                          Entropy (8bit):5.154045872002826
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt4axvn:cge4MYrFdOFzOzN33ODOiDdKrsuT3v
                                          MD5:2829DB7F9375335D00676E8A8D3325E1
                                          SHA1:1213283AA2FD79C2FDEA070BFE36A442FF0B0328
                                          SHA-256:7B9F5D4256077489D2AB74BE27352F8AEC19BCD40AA1B630FEEBD023F60BF1AA
                                          SHA-512:74A317A95B1C82F6FA6170F5D48CA1CF757D710962CC32E643C76730F6105445DB406B939AFBD00F00325F7FBA80C034947F2FDABEF6F5CE4961FD6E92EE15DD
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                          C:\Users\user\AppData\Local\Temp\tmp9691.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\hAwKqJPm.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1595
                                          Entropy (8bit):5.154045872002826
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt4axvn:cge4MYrFdOFzOzN33ODOiDdKrsuT3v
                                          MD5:2829DB7F9375335D00676E8A8D3325E1
                                          SHA1:1213283AA2FD79C2FDEA070BFE36A442FF0B0328
                                          SHA-256:7B9F5D4256077489D2AB74BE27352F8AEC19BCD40AA1B630FEEBD023F60BF1AA
                                          SHA-512:74A317A95B1C82F6FA6170F5D48CA1CF757D710962CC32E643C76730F6105445DB406B939AFBD00F00325F7FBA80C034947F2FDABEF6F5CE4961FD6E92EE15DD
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                          C:\Users\user\AppData\Roaming\hAwKqJPm.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):872960
                                          Entropy (8bit):7.69627043654526
                                          Encrypted:false
                                          SSDEEP:12288:XHmZJbxpDFv6d2tZKGxF9rOTE/oMwtXBE3QVmfVUQa8PbT6OZO2bUq0fjVZ5jSC:XHvd2tceX/nyR3VmfVDHbTLZOKYjkC
                                          MD5:2015410BB46BDA0BD98BE49F2CA03E00
                                          SHA1:F500DA9DF562378CD0565485489321D59FA1699C
                                          SHA-256:C36284BC37B2AAF39D2E911EF97AAC1FA583CA30D90F2CD006635F8F5BF0D7E1
                                          SHA-512:003A87FA2A9E6CBC2E12EDE2CBF78ABBE11EEC1635E0695406C421C496783DEFD9EC6659A1524D8481DBEED61155BB5EEBBE997EA0863E8590BBC69B3C8CC7E6
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 20%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0..J...........i... ........@.. ....................................@..................................h..O.......p............................................................................ ............... ..H............text....I... ...J.................. ..`.rsrc...p............L..............@..@.reloc...............P..............@..B.................h......H........j..TE......V....................................................0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*^..}.....(.......(.....*....0..#.........{.........,...{.....~....o......*&..(.....*....0..#.........{.........,...{.....~....o......*..0..+.........,..{.......+....,...{....o........(...

                                          C:\Users\user\AppData\Roaming\hAwKqJPm.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.69627043654526
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          File size:872960
                                          MD5:2015410bb46bda0bd98be49f2ca03e00
                                          SHA1:f500da9df562378cd0565485489321d59fa1699c
                                          SHA256:c36284bc37b2aaf39d2e911ef97aac1fa583ca30d90f2cd006635f8f5bf0d7e1
                                          SHA512:003a87fa2a9e6cbc2e12ede2cbf78abbe11eec1635e0695406c421c496783defd9ec6659a1524d8481dbeed61155bb5eebbe997ea0863e8590bbc69b3c8cc7e6
                                          SSDEEP:12288:XHmZJbxpDFv6d2tZKGxF9rOTE/oMwtXBE3QVmfVUQa8PbT6OZO2bUq0fjVZ5jSC:XHvd2tceX/nyR3VmfVDHbTLZOKYjkC
                                          TLSH:07058DDF59613E08C29CBAB06817348C7EA194504948E1E4E7E917D95A3BFBDCB8123F
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0..J...........i... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4d690e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x637F84B3 [Thu Nov 24 14:50:27 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd68bc0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd80000x370.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xd49140xd4a00False0.8398414535567313SysEx File -7.699539405299492IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xd80000x3700x400False0.365234375data2.789007112227322IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xda0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xd80580x314data

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          103.150.8.47192.168.2.36640496912038897 11/24/22-19:30:17.744742TCP2038897ET TROJAN Warzone RAT Response (Inbound)664049691103.150.8.47192.168.2.3
                                          192.168.2.3103.150.8.474969166402851946 11/24/22-19:31:57.790282TCP2851946ETPRO TROJAN Ave Maria/Warzone RAT PingResponse496916640192.168.2.3103.150.8.47
                                          103.150.8.47192.168.2.36640496912851945 11/24/22-19:31:57.787821TCP2851945ETPRO TROJAN Ave Maria/Warzone RAT PingCommand664049691103.150.8.47192.168.2.3
                                          103.150.8.47192.168.2.36640496912851933 11/24/22-19:30:18.197244TCP2851933ETPRO TROJAN Ave Maria/Warzone RAT ListPasswordsCommand664049691103.150.8.47192.168.2.3
                                          192.168.2.3103.150.8.474969166402852357 11/24/22-19:30:17.889863TCP2852357ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse496916640192.168.2.3103.150.8.47
                                          103.150.8.47192.168.2.36640496912852356 11/24/22-19:31:37.787359TCP2852356ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket664049691103.150.8.47192.168.2.3
                                          103.150.8.47192.168.2.36640496912851895 11/24/22-19:30:17.744742TCP2851895ETPRO TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound)664049691103.150.8.47192.168.2.3

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 24, 2022 19:30:17.173063040 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:30:17.459017992 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:30:17.459163904 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:30:17.744741917 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:30:17.804780960 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:30:17.889863014 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:30:18.197243929 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:30:18.215589046 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:30:18.543471098 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:30:37.756028891 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:30:37.757914066 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:30:38.082035065 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:30:57.758604050 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:30:57.759512901 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:30:58.084768057 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:31:17.771068096 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:31:17.772058964 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:31:18.099214077 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:31:37.787358999 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:31:37.789005995 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:31:38.112308979 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:31:57.787821054 CET664049691103.150.8.47192.168.2.3
                                          Nov 24, 2022 19:31:57.790282011 CET496916640192.168.2.3103.150.8.47
                                          Nov 24, 2022 19:31:58.113883018 CET664049691103.150.8.47192.168.2.3

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 24, 2022 19:30:17.056688070 CET5439753192.168.2.38.8.8.8
                                          Nov 24, 2022 19:30:17.168728113 CET53543978.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Nov 24, 2022 19:30:17.056688070 CET192.168.2.38.8.8.80x7da1Standard query (0)leekong.duckdns.orgA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Nov 24, 2022 19:30:17.168728113 CET8.8.8.8192.168.2.30x7da1No error (0)leekong.duckdns.org103.150.8.47A (IP address)IN (0x0001)false

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:19:29:58
                                          Start date:24/11/2022
                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          Imagebase:0xed0000
                                          File size:872960 bytes
                                          MD5 hash:2015410BB46BDA0BD98BE49F2CA03E00
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.287016185.00000000048F8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.279718323.000000000354E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000000.00000002.285102009.00000000045D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low

                                          General

                                          Target ID:1
                                          Start time:19:30:07
                                          Start date:24/11/2022
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\hAwKqJPm.exe
                                          Imagebase:0xc10000
                                          File size:430592 bytes
                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          General

                                          Target ID:2
                                          Start time:19:30:07
                                          Start date:24/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff745070000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:3
                                          Start time:19:30:07
                                          Start date:24/11/2022
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp58FB.tmp
                                          Imagebase:0xe50000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:4
                                          Start time:19:30:07
                                          Start date:24/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff745070000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:5
                                          Start time:19:30:10
                                          Start date:24/11/2022
                                          Path:C:\Users\user\AppData\Roaming\hAwKqJPm.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\hAwKqJPm.exe
                                          Imagebase:0x510000
                                          File size:872960 bytes
                                          MD5 hash:2015410BB46BDA0BD98BE49F2CA03E00
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000005.00000002.303636466.0000000002AFE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 20%, ReversingLabs
                                          Reputation:low

                                          General

                                          Target ID:6
                                          Start time:19:30:11
                                          Start date:24/11/2022
                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.1041.15454.exe
                                          Imagebase:0x680000
                                          File size:872960 bytes
                                          MD5 hash:2015410BB46BDA0BD98BE49F2CA03E00
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000006.00000003.278810963.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000006.00000000.268659603.0000000000426000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000006.00000003.278763102.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000006.00000000.268913110.0000000000562000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000006.00000000.268913110.0000000000562000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 00000006.00000003.279119713.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 00000006.00000003.279119713.0000000000DE4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000006.00000003.279160265.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low

                                          General

                                          Target ID:17
                                          Start time:19:30:24
                                          Start date:24/11/2022
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAwKqJPm" /XML "C:\Users\user\AppData\Local\Temp\tmp9691.tmp
                                          Imagebase:0xe50000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:18
                                          Start time:19:30:24
                                          Start date:24/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff745070000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:19
                                          Start time:19:30:25
                                          Start date:24/11/2022
                                          Path:C:\Users\user\AppData\Roaming\hAwKqJPm.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\hAwKqJPm.exe
                                          Imagebase:0x940000
                                          File size:872960 bytes
                                          MD5 hash:2015410BB46BDA0BD98BE49F2CA03E00
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Disassembly

                                          No disassembly