Loading ...

Play interactive tourEdit tour

Analysis Report https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file

Overview

General Information

Sample URL:https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 4812 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 2572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 4304 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • unarchiver.exe (PID: 556 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z' MD5: 8B435F8731563566F3F49203BA277865)
    • 7za.exe (PID: 5008 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 4880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 3292 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • EXONE 2606202201.exe (PID: 2912 cmdline: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe MD5: 1F41D32746736E756CAA7FABAB427069)
        • InstallUtil.exe (PID: 4824 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "sc9Tzx", "URL: ": "https://CJitfB1Uzswh2q.org", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "TnQoXftkkwAqNuG", "From: ": "david01smith@yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.524492905.000000000B8A4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000003.499202454.000000000B1DD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000003.498038066.000000000B88A000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000003.497188685.000000000B1C5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000003.497834664.000000000B852000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: InstallUtil.exe.4824.12.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "sc9Tzx", "URL: ": "https://CJitfB1Uzswh2q.org", "To: ": "david01smith@yandex.com", "ByHost: ": "smtp.yandex.com:587", "Password: ": "TnQoXftkkwAqNuG", "From: ": "david01smith@yandex.com"}
              Source: 12.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 027A097Fh4_2_027A02A8
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 027A097Eh4_2_027A02A8

              Source: global trafficTCP traffic: 192.168.2.6:49723 -> 77.88.21.158:587
              Source: unknownDNS traffic detected: queries for: www.mediafire.com
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.421627199.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl/8
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.comED
              Source: wget.exe, 00000002.00000002.424464452.0000000002B6C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.comer
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0)
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.comED
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.comSk
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
              Source: InstallUtil.exe, 0000000C.00000002.849258694.00000000031D0000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
              Source: InstallUtil.exe, 0000000C.00000002.849258694.00000000031D0000.00000004.00000001.sdmpString found in binary or memory: https://CJitfB1Uzswh2q.org
              Source: cmdline.out.2.drString found in binary or memory: https://download2264.mediafire.com/emyw4xtvecig/xuk5d6qwx9yx9bf/EXONE
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: wget.exe, 00000002.00000002.424587032.0000000002BA7000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: InstallUtil.exe, 0000000C.00000002.850112174.000000000344A000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
              Source: wget.exe, 00000002.00000003.421592890.0000000002B9F000.00000004.00000001.sdmpString found in binary or memory: https://www.mediafire.com
              Source: wget.exe, 00000002.00000002.422231659.0000000000140000.00000004.00000020.sdmp, cmdline.out.2.drString found in binary or memory: https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file
              Source: wget.exe, 00000002.00000002.422873808.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/fileHD
              Source: wget.exe, 00000002.00000002.422873808.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/fileID
              Source: wget.exe, 00000002.00000002.422873808.0000000001070000.00000004.00000040.sdmpString found in binary or memory: https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/fileND
              Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_058291E0 CreateProcessAsUserW,9_2_058291E0
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_027A02A84_2_027A02A8
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_027A02994_2_027A0299
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_058291E09_2_058291E0
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_0582053B9_2_0582053B
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05823D489_2_05823D48
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_058205489_2_05820548
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_00E420B012_2_00E420B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0172FB3012_2_0172FB30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0172FB2012_2_0172FB20
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AF3A012_2_031AF3A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A83F012_2_031A83F0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A004012_2_031A0040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AE78812_2_031AE788
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A246012_2_031A2460
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AEAD012_2_031AEAD0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AF8A012_2_031AF8A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A2F4012_2_031A2F40
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A3C0812_2_031A3C08
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A83E012_2_031A83E0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A000612_2_031A0006
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A403112_2_031A4031
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A74D912_2_031A74D9
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A796512_2_031A7965
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031AF89112_2_031AF891
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A78C112_2_031A78C1
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_031A2E5312_2_031A2E53
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06580E9012_2_06580E90
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06586FB012_2_06586FB0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06583D9012_2_06583D90
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658625012_2_06586250
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658F3D012_2_0658F3D0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658F1D812_2_0658F1D8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582E5712_2_06582E57
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582E0D12_2_06582E0D
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658263F12_2_0658263F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582EEB12_2_06582EEB
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582EA112_2_06582EA1
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582F7F12_2_06582F7F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582F3512_2_06582F35
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DF9812_2_0658DF98
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06581CFE12_2_06581CFE
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658249212_2_06582492
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582C8E12_2_06582C8E
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582D7912_2_06582D79
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582D2F12_2_06582D2F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658252112_2_06582521
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582DC312_2_06582DC3
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06583D8012_2_06583D80
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_065825B012_2_065825B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658229A12_2_0658229A
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06582AB712_2_06582AB7
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06580E9012_2_06580E90
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658F3C012_2_0658F3C0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06581B9B12_2_06581B9B
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658004012_2_06580040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658202112_2_06582021
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_065820F412_2_065820F4
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658F1C812_2_0658F1C8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658218012_2_06582180
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0661E36012_2_0661E360
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0661C85012_2_0661C850
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066106C812_2_066106C8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0661B3D012_2_0661B3D0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066DCF9812_2_066DCF98
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066D7F3012_2_066D7F30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E3A3812_2_066E3A38
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066ED2DE12_2_066ED2DE
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EEAA112_2_066EEAA1
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E334812_2_066E3348
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066ED7F012_2_066ED7F0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E004012_2_066E0040
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EB0E812_2_066EB0E8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EC8A812_2_066EC8A8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E98B012_2_066E98B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066ED4B012_2_066ED4B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EA57012_2_066EA570
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E850812_2_066E8508
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E25C012_2_066E25C0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E624812_2_066E6248
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E3A2812_2_066E3A28
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E623912_2_066E6239
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E5ACA12_2_066E5ACA
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066ED7E012_2_066ED7E0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E2C6012_2_066E2C60
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E2C7012_2_066E2C70
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E98A012_2_066E98A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E1C8812_2_066E1C88
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066EA56112_2_066EA561
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E695612_2_066E6956
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E5D0812_2_066E5D08
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E711F12_2_066E711F
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E25B012_2_066E25B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_066E598612_2_066E5986
              Source: classification engineClassification label: mal100.troj.spyw.evad.win@15/9@4/3
              Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3464:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2572:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4880:120:WilError_01
              Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\4b2znvou.fsaJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file' > cmdline.out 2>&1
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file'
              Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z'
              Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://www.mediafire.com/file/xuk5d6qwx9yx9bf/EXONE_2606202201.7z/file' Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z'Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000000C.00000002.847568539.0000000000E42000.00000002.00020000.sdmp, InstallUtil.exe.9.dr
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.9.dr

              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_00B62800 push edi; ret 4_2_00B62BC6
              Source: C:\Windows\SysWOW64\7za.exeCode function: 5_2_00D6CA70 pushad ; retf 5_2_00D6CA71
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_00F6694C push esi; iretd 9_2_00F6694D
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_058235B2 push 8B02EB67h; ret 9_2_058235BE
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05823112 push 8B02EB67h; ret 9_2_0582311E
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05826921 push 8B02EB67h; ret 9_2_05826926
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_0582392B push 8BF88B67h; iretd 9_2_05823936
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05823534 push 8B02EB67h; ret 9_2_05823540
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_05824458 pushad ; iretd 9_2_05824463
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeCode function: 9_2_0582372B push 8B02EB67h; ret 9_2_05823737
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE41 push es; ret 12_2_0658DE44
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE45 push es; ret 12_2_0658DE3C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE45 push es; ret 12_2_0658DE8C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A669 push es; ret 12_2_0658A61C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A669 push es; ret 12_2_0658A668
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A669 push es; ret 12_2_0658A6B4
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE1B push es; ret 12_2_0658DE1C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A61D push es; ret 12_2_0658A5D0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A61D push es; ret 12_2_0658A61C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A61D push es; ret 12_2_0658A668
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE1D push es; ret 12_2_0658DE20
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE39 push es; ret 12_2_0658DE3C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE3D push es; ret 12_2_0658DE40
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE31 push es; ret 12_2_0658DE34
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE35 push es; ret 12_2_0658DE38
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE29 push es; ret 12_2_0658DE2C
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE2D push es; ret 12_2_0658DE30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE21 push es; ret 12_2_0658DE24
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658DE25 push es; ret 12_2_0658DE28
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A6CD push es; ret 12_2_0658A6E4
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_0658A6F9 push es; ret 12_2_0658A6FC

              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
              Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeFile opened: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe:Zone.Identifier read attributes | deleteJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: EXONE 2606202201.exe, 00000009.00000002.515278704.0000000003250000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 784Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4548Thread sleep count: 232 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exe TID: 4548Thread sleep time: -116000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe TID: 4576Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe TID: 4412Thread sleep count: 176 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe TID: 1560Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1788Thread sleep count: 784 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -55500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -46500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -35500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -34000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -30500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5096Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\unarchiver.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_00B6B042 GetSystemInfo,4_2_00B6B042
              Source: InstallUtil.exe, 0000000C.00000002.852142229.0000000006210000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: EXONE 2606202201.exe, 00000009.00000002.515278704.0000000003250000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: InstallUtil.exe, 0000000C.00000002.852142229.0000000006210000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: InstallUtil.exe, 0000000C.00000002.852142229.0000000006210000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: InstallUtil.exe, 0000000C.00000002.853204000.00000000067D0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: InstallUtil.exe, 0000000C.00000002.852142229.0000000006210000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06580E90 KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,KiUserExceptionDispatcher,12_2_06580E90
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 448000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 44A000Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 1164008Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e' 'C:\Users\user\Desktop\download\EXONE 2606202201.7z'Jump to behavior
              Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
              Source: unarchiver.exe, 00000004.00000002.848332150.00000000012F0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.848794387.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: unarchiver.exe, 00000004.00000002.848332150.00000000012F0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.848794387.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: unarchiver.exe, 00000004.00000002.848332150.00000000012F0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.848794387.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: RProgram Managerm
              Source: unarchiver.exe, 00000004.00000002.848332150.00000000012F0000.00000002.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.848794387.0000000001AD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeQueries volume information: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\amqrnpay.x1e\EXONE 2606202201.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 12_2_06580878 GetUserNameW,12_2_06580878
              Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              bar