Analysis Report Invoice No F1019855_PDF.vbs

Overview

General Information

Sample Name: Invoice No F1019855_PDF.vbs
Analysis ID: 411334
MD5: fcf52f96d96c68788ffe13fcccd4c89c
SHA1: ca29113b7607ecb7d9a65d8285d7d36f367b1cd0
SHA256: fbc5a1e5f8a02c644cf207d40885c7973dc7e4809b97f676927da3e13e17ed1f
Tags: NanoCoreRATvbs
Infos:

Most interesting Screenshot:

Detection

Nanocore AsyncRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c687c38e-2b2d-4d96-b5eb-9a31ccba", "Group": "Sys", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for submitted file
Source: Invoice No F1019855_PDF.vbs ReversingLabs: Detection: 21%
Yara detected Nanocore RAT
Source: Yara match File source: 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 6612, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 800, type: MEMORY
Source: Yara match File source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.name.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.name.exe.5950000.11.unpack Avira: Label: TR/NanoCore.fadte
Source: 10.2.file.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\name.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: mscorrc.pdb source: name.exe, 00000004.00000002.261482145.0000000007200000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.477662832.00000000054D0000.00000002.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: sys2021.linkpc.net
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 87.98.245.48 ports 10090,0,1,4,9,11940
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49725 -> 87.98.245.48:11940
Source: global traffic TCP traffic: 192.168.2.3:49736 -> 191.96.25.26:11940
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.98.245.48 87.98.245.48
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown DNS traffic detected: queries for: sys2021.linkpc.net
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: file.exe, 00000003.00000002.255141444.0000000003151000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000003.00000003.216324625.000000000608E000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: name.exe, 00000004.00000003.216797322.000000000597C000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: name.exe, 00000004.00000003.216797322.000000000597C000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comext
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com.TTF
Source: name.exe, 00000004.00000003.220508852.0000000005977000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/
Source: name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com9
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF6
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalic
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalso
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comessed
Source: file.exe, 00000003.00000003.253543403.000000000608A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comion
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comlicd
Source: file.exe, 00000003.00000003.253543403.000000000608A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: name.exe, 00000004.00000003.214233303.000000000598B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comx
Source: name.exe, 00000004.00000003.214182404.000000000598B000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comyp
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: file.exe, 00000003.00000002.262971462.0000000006170000.00000002.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: file.exe, 00000003.00000002.262971462.0000000006170000.00000002.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: file.exe, 00000003.00000003.215566337.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cntic
Source: file.exe, 00000003.00000003.220028378.0000000006096000.00000004.00000001.sdmp, name.exe, 00000004.00000003.220508852.0000000005977000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: file.exe, 00000003.00000003.220798127.0000000006096000.00000004.00000001.sdmp, file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: file.exe, 00000003.00000003.220028378.0000000006096000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/w
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp, name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp, name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/&
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//sO
Source: name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ana
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp, file.exe, 00000003.00000003.217797992.0000000006089000.00000004.00000001.sdmp, name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/i
Source: file.exe, 00000003.00000003.217797992.0000000006089000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/u
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/w
Source: name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/rge
Source: file.exe, 00000003.00000003.217445274.0000000006083000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: name.exe, 00000004.00000003.217929078.0000000005977000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: name.exe, 00000004.00000003.218188499.0000000005978000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: name.exe, 00000004.00000003.214006989.000000000598B000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: name.exe, 00000004.00000003.214006989.000000000598B000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comw
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: file.exe, 00000003.00000003.219359586.000000000608E000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: file.exe, 00000003.00000002.265434370.0000000007192000.00000004.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: file.exe, 00000003.00000002.262971462.0000000006170000.00000002.00000001.sdmp, name.exe, 00000004.00000002.258227103.0000000005A60000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: file.exe, 0000000A.00000002.470394784.0000000001316000.00000004.00000020.sdmp String found in binary or memory: https://nexus.officeapps.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 00000003.00000002.256966112.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.468822970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6588, type: MEMORY
Source: Yara match File source: 3.2.file.exe.421ac70.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.file.exe.4238890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.file.exe.421ac70.3.raw.unpack, type: UNPACKEDPE
Installs a raw input device (often for capturing keystrokes)
Source: name.exe, 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 6612, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 800, type: MEMORY
Source: Yara match File source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000002.477861276.0000000005590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: name.exe PID: 6612, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: name.exe PID: 6612, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: name.exe PID: 800, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: name.exe PID: 800, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.name.exe.5590000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.name.exe.3051688.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_059028A2 NtQuerySystemInformation, 4_2_059028A2
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05902868 NtQuerySystemInformation, 4_2_05902868
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_0534116A NtQuerySystemInformation, 11_2_0534116A
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_0534112F NtQuerySystemInformation, 11_2_0534112F
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_00D76091 3_2_00D76091
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_00D78A84 3_2_00D78A84
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0164D314 3_2_0164D314
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772AF60 3_2_0772AF60
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772F630 3_2_0772F630
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772CE88 3_2_0772CE88
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07722C30 3_2_07722C30
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07726250 3_2_07726250
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772BA40 3_2_0772BA40
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07727948 3_2_07727948
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07722113 3_2_07722113
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_077251E0 3_2_077251E0
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07728828 3_2_07728828
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07728767 3_2_07728767
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772AF50 3_2_0772AF50
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772BF08 3_2_0772BF08
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07725658 3_2_07725658
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07725649 3_2_07725649
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772BEF8 3_2_0772BEF8
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07724518 3_2_07724518
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07724507 3_2_07724507
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772C591 3_2_0772C591
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772C598 3_2_0772C598
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772D350 3_2_0772D350
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772A260 3_2_0772A260
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772A252 3_2_0772A252
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772AAB8 3_2_0772AAB8
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772AAA9 3_2_0772AAA9
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_07727938 3_2_07727938
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_077261F9 3_2_077261F9
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_077231C0 3_2_077231C0
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_077261A1 3_2_077261A1
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772B9A8 3_2_0772B9A8
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772D858 3_2_0772D858
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772882A 3_2_0772882A
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772A898 3_2_0772A898
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 3_2_0772A888 3_2_0772A888
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_00CD608D 4_2_00CD608D
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_00CD6281 4_2_00CD6281
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569E510 4_2_0569E510
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569ADE8 4_2_0569ADE8
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05692588 4_2_05692588
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05696998 4_2_05696998
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569C030 4_2_0569C030
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05694B40 4_2_05694B40
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05695B59 4_2_05695B59
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05693BC8 4_2_05693BC8
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05695259 4_2_05695259
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_056936A0 4_2_056936A0
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569A960 4_2_0569A960
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569A160 4_2_0569A160
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569A15E 4_2_0569A15E
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569A950 4_2_0569A950
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569E924 4_2_0569E924
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569B108 4_2_0569B108
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05698108 4_2_05698108
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569E91C 4_2_0569E91C
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569ADD8 4_2_0569ADD8
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569E9A7 4_2_0569E9A7
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05698C48 4_2_05698C48
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569C020 4_2_0569C020
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05694008 4_2_05694008
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_056980F8 4_2_056980F8
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569B0F8 4_2_0569B0F8
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569E8FF 4_2_0569E8FF
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569E8A3 4_2_0569E8A3
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_056968B1 4_2_056968B1
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05698880 4_2_05698880
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05698890 4_2_05698890
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569E756 4_2_0569E756
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05699BC0 4_2_05699BC0
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569DFC0 4_2_0569DFC0
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569E780 4_2_0569E780
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569EE60 4_2_0569EE60
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569EE4F 4_2_0569EE4F
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569E63E 4_2_0569E63E
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_056976C0 4_2_056976C0
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05698AA8 4_2_05698AA8
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_056986A0 4_2_056986A0
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_056976BA 4_2_056976BA
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_056986B0 4_2_056986B0
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569368F 4_2_0569368F
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05694A98 4_2_05694A98
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05698A98 4_2_05698A98
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0745366F 4_2_0745366F
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_07451700 4_2_07451700
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_07451BA9 4_2_07451BA9
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_07451BB8 4_2_07451BB8
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_07452E27 4_2_07452E27
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 10_2_00D66091 10_2_00D66091
Source: C:\Users\user\AppData\Local\Temp\file.exe Code function: 10_2_00D68A84 10_2_00D68A84
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_0098608D 11_2_0098608D
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_00986281 11_2_00986281
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_02AF7ABE 11_2_02AF7ABE
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_05219068 11_2_05219068
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_05218468 11_2_05218468
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_05213850 11_2_05213850
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_0521ACC8 11_2_0521ACC8
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_052123A0 11_2_052123A0
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_05212FA8 11_2_05212FA8
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_0521912F 11_2_0521912F
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_05219910 11_2_05219910
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_0521306F 11_2_0521306F
Java / VBScript file with very long strings (likely obfuscated code)
Source: Invoice No F1019855_PDF.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\file.exe Section loaded: sysmain.dll Jump to behavior
Yara signature match
Source: 0000000B.00000002.477861276.0000000005590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.477861276.0000000005590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: name.exe PID: 6612, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: name.exe PID: 6612, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: name.exe PID: 800, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: name.exe PID: 800, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.name.exe.5590000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.5590000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.name.exe.3051688.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.3051688.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: file.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: JkeJLChUI.exe.3.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: LiydYED.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winVBS@15/9@24/2
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_059027D2 AdjustTokenPrivileges, 4_2_059027D2
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0590279B AdjustTokenPrivileges, 4_2_0590279B
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_05340F2A AdjustTokenPrivileges, 11_2_05340F2A
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_05340EF3 AdjustTokenPrivileges, 11_2_05340EF3
Source: C:\Users\user\AppData\Local\Temp\file.exe File created: C:\Users\user\AppData\Roaming\JkeJLChUI.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Mutant created: \Sessions\1\BaseNamedObjects\871-085a33d91457
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\file.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Users\user\AppData\Local\Temp\name.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Local\Temp\name.exe Mutant created: \Sessions\1\BaseNamedObjects\lsPvaxhQEBvPAUaKmBBEq
Source: C:\Users\user\AppData\Local\Temp\file.exe Mutant created: \Sessions\1\BaseNamedObjects\RZiGID
Source: C:\Users\user\AppData\Local\Temp\name.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{c687c38e-2b2d-4d96-b5eb-9a31ccba603d}
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\file.exe Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'
Source: C:\Users\user\AppData\Local\Temp\file.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Invoice No F1019855_PDF.vbs ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice No F1019855_PDF.vbs'
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\file.exe 'C:\Users\user\AppData\Local\Temp\file.exe'
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\name.exe 'C:\Users\user\AppData\Local\Temp\name.exe'
Source: C:\Users\user\AppData\Local\Temp\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JkeJLChUI' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD9.tmp'
Source: C:\Users\user\AppData\Local\Temp\name.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LiydYED' /XML 'C:\Users\user\AppData\Local\Temp\tmpC12.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\file.exe Process created: C:\Users\user\AppData\Local\Temp\file.exe {path}
Source: C:\Users\user\AppData\Local\Temp\name.exe Process created: C:\Users\user\AppData\Local\Temp\name.exe {path}
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\file.exe 'C:\Users\user\AppData\Local\Temp\file.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\name.exe 'C:\Users\user\AppData\Local\Temp\name.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JkeJLChUI' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD9.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process created: C:\Users\user\AppData\Local\Temp\file.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LiydYED' /XML 'C:\Users\user\AppData\Local\Temp\tmpC12.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process created: C:\Users\user\AppData\Local\Temp\name.exe {path} Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Invoice No F1019855_PDF.vbs Static file information: File size 2072856 > 1048576
Source: C:\Users\user\AppData\Local\Temp\name.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: mscorrc.pdb source: name.exe, 00000004.00000002.261482145.0000000007200000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.477662832.00000000054D0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\file.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDADJHWrcAAAAAAAAAAOAAAgELATAAALIKAAAIAAAAAAAAVtE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\file.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOnJY+kAAAAAAAAAAOAAAgELATAAAPALAAAIAAAAAAAAOg4");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\name.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\file.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\name.exe")
.NET source code contains potential unpacker
Source: JkeJLChUI.exe.3.dr, MainForm.cs .Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.file.exe.d70000.0.unpack, MainForm.cs .Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.file.exe.d70000.0.unpack, MainForm.cs .Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.name.exe.cd0000.0.unpack, MainForm.cs .Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.name.exe.cd0000.0.unpack, MainForm.cs .Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.file.exe.d60000.1.unpack, MainForm.cs .Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: file.exe.0.dr Static PE information: 0xB75A4732 [Fri Jun 24 13:16:34 2067 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_016B0DA8 push esi; ret 4_2_016B0DAB
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_016B0D60 push esi; ret 4_2_016B0D63
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_016B0DF0 push esi; ret 4_2_016B0DF3
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_016B0E90 push esi; ret 4_2_016B0E93
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_016E7DC1 push 64016E86h; ret 4_2_016E82D1
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_056985F8 pushfd ; retf 4_2_056985F9
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05698588 pushad ; retf 4_2_05698591
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_0569DA2A push E9FFFFFFh; iretd 4_2_0569DA2F
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_02AF9D30 pushad ; retf 11_2_02AF9D31
Source: initial sample Static PE information: section name: .text entropy: 7.21530395794
Source: initial sample Static PE information: section name: .text entropy: 7.21530395794
Source: initial sample Static PE information: section name: .text entropy: 7.33039162712

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\file.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\name.exe File created: C:\Users\user\AppData\Roaming\LiydYED.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\file.exe File created: C:\Users\user\AppData\Roaming\JkeJLChUI.exe Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\name.exe Jump to dropped file

Boot Survival:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 00000003.00000002.256966112.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.468822970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6588, type: MEMORY
Source: Yara match File source: 3.2.file.exe.421ac70.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.file.exe.4238890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.file.exe.421ac70.3.raw.unpack, type: UNPACKEDPE
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JkeJLChUI' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD9.tmp'
Creates or modifies windows services
Source: C:\Users\user\AppData\Local\Temp\file.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage Jump to behavior
Modifies existing windows services
Source: C:\Users\user\AppData\Local\Temp\file.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\name.exe File opened: C:\Users\user\AppData\Local\Temp\name.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000003.00000002.255078777.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 6612, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6588, type: MEMORY
Source: Yara match File source: 3.2.file.exe.311576c.1.raw.unpack, type: UNPACKEDPE
Yara detected AsyncRAT
Source: Yara match File source: 00000003.00000002.256966112.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.468822970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6588, type: MEMORY
Source: Yara match File source: 3.2.file.exe.421ac70.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.file.exe.4238890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.file.exe.421ac70.3.raw.unpack, type: UNPACKEDPE
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\name.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, 00000003.00000002.255078777.00000000030F1000.00000004.00000001.sdmp, name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file.exe, 00000003.00000002.255078777.00000000030F1000.00000004.00000001.sdmp, name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: file.exe, 00000003.00000002.256966112.00000000040F9000.00000004.00000001.sdmp, file.exe, 0000000A.00000002.468822970.0000000000402000.00000040.00000001.sdmp Binary or memory string: SBIEDLL.DLLME: CHAT
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\name.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\name.exe Window / User API: foregroundWindowGot 835 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 6592 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe TID: 2540 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 6616 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 6648 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 5060 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 5060 Thread sleep count: 145 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 5060 Thread sleep count: 221 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 3512 Thread sleep count: 256 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 5060 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe TID: 5052 Thread sleep time: -280000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\file.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_05340BB6 GetSystemInfo, 11_2_05340BB6
Source: C:\Users\user\AppData\Local\Temp\file.exe Thread delayed: delay time: 31500 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Thread delayed: delay time: 31500 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: file.exe, 00000003.00000002.267489782.0000000007A75000.00000004.00000001.sdmp Binary or memory string: VMware
Source: file.exe, 0000000A.00000002.478323330.0000000005947000.00000004.00000001.sdmp Binary or memory string: 8258RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/secy&
Source: file.exe, 0000000A.00000002.473021861.0000000003191000.00000004.00000001.sdmp Binary or memory string: l!Hyper-V Virtual Machine Bus Pipes
Source: file.exe, 0000000A.00000002.477862631.0000000005646000.00000004.00000001.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration ServiceA
Source: file.exe, 0000000A.00000003.283195559.0000000005662000.00000004.00000001.sdmp Binary or memory string: Hyper-V odyhnxjxsoexvdl Bus'
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: XrA"SOFTWARE\VMware, Inc.\VMware Tools
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: wscript.exe, 00000000.00000002.217300558.0000023C9F5B0000.00000002.00000001.sdmp, file.exe, 0000000A.00000002.478778610.0000000005FD0000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.478683812.0000000006380000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: file.exe, 00000003.00000002.267489782.0000000007A75000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareMZF7_W99Win32_VideoControllerAU6HH_1NVideoController120060621000000.000000-00039494928display.infMSBDAE93F5W6VPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsDGO2XXF2l
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: file.exe, 0000000A.00000002.477862631.0000000005646000.00000004.00000001.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service/
Source: file.exe, 0000000A.00000002.477926995.0000000005665000.00000004.00000001.sdmp Binary or memory string: Hyper-V odyhnxjxsoexvdl Bus?
Source: file.exe, 0000000A.00000002.477862631.0000000005646000.00000004.00000001.sdmp Binary or memory string: VHyper-V Virtual Machine Bus Provider PipesW
Source: file.exe, 0000000A.00000003.282965781.0000000001366000.00000004.00000001.sdmp Binary or memory string: terrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Cost5366IO Instructions/sec5368IO Instructions Cost5370HLT Instructions/sec5372HLT Instructions Cost5374MWAIT Instructions/sec5376MWAIT Instructions Cost5378CPUID Instructions/sec5380CPUID Instructions Cost5382MSR Accesses/sec5384MSR Accesses Cost5386Other Intercepts/sec5388Other Intercepts Cost5390External Interrupts/sec5392External Interrupts Cost5394Pending Interrupts/sec5396Pending Interrupts Cost5398Emulated Instructions/sec5400Emulated Instructions Cost5402Debug Register Accesses/sec5404Debug Register Accesses Cost5406Page Fault Intercepts/sec5408Page Fault Intercepts Cost5410Guest Page Table Maps/sec5412Large Page TLB Fills/sec5414Small Page TLB Fills/sec5416Reflected Guest Page Faults/sec5418APIC MMIO Accesses/sec5420IO Intercept Messages/sec5422Memory Intercept Messages/sec5424APIC EOI Accesses/sec5426Other Messages/sec5428Page Table Allocations/sec5430Logical Processor Migrations/sec5432Address Space Evictions/sec5434Address Space Switches/sec5436Address Domain Flushes/sec5438Address Space Flushes/sec5440Global GVA Range Flushes/sec5
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: file.exe, 0000000A.00000002.468822970.0000000000402000.00000040.00000001.sdmp Binary or memory string: vmware
Source: file.exe, 00000003.00000002.255078777.00000000030F1000.00000004.00000001.sdmp Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: Xr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: file.exe, 0000000A.00000003.283195559.0000000005662000.00000004.00000001.sdmp Binary or memory string: Hyper-V odyhnxjxsoexvdl Bus Pipes)
Source: file.exe, 0000000A.00000002.473021861.0000000003191000.00000004.00000001.sdmp Binary or memory string: l)Hyper-V Hypervisor Root Virtual Processor
Source: file.exe, 0000000A.00000002.477862631.0000000005646000.00000004.00000001.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: file.exe, 0000000A.00000003.283312609.000000000135C000.00000004.00000001.sdmp Binary or memory string: RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler In
Source: file.exe, 0000000A.00000002.478270567.0000000005896000.00000004.00000001.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus PipesU
Source: file.exe, 00000003.00000002.255078777.00000000030F1000.00000004.00000001.sdmp Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: Xr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: wscript.exe, 00000000.00000002.217300558.0000023C9F5B0000.00000002.00000001.sdmp, file.exe, 0000000A.00000002.478778610.0000000005FD0000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.478683812.0000000006380000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: wscript.exe, 00000000.00000002.217300558.0000023C9F5B0000.00000002.00000001.sdmp, file.exe, 0000000A.00000002.478778610.0000000005FD0000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.478683812.0000000006380000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: file.exe, 0000000A.00000002.473021861.0000000003191000.00000004.00000001.sdmp Binary or memory string: l$Hyper-V Hypervisor Logical Processor
Source: file.exe, 0000000A.00000002.470394784.0000000001316000.00000004.00000020.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: file.exe, 0000000A.00000002.478270567.0000000005896000.00000004.00000001.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: file.exe, 0000000A.00000002.470394784.0000000001316000.00000004.00000020.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: file.exe, 0000000A.00000002.477862631.0000000005646000.00000004.00000001.sdmp Binary or memory string: Hyper-V odyhnxjxsoexvdl Bus Provider Pipes
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: Xr#"SOFTWARE\VMware, Inc.\VMware Tools
Source: file.exe, 0000000A.00000002.473021861.0000000003191000.00000004.00000001.sdmp Binary or memory string: l!Hyper-V Hypervisor Root Partition
Source: file.exe, 0000000A.00000002.473021861.0000000003191000.00000004.00000001.sdmp Binary or memory string: l*Hyper-V Virtual Machine Bus Provider Pipes
Source: file.exe, 0000000A.00000003.283296035.0000000005948000.00000004.00000001.sdmp Binary or memory string: C VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/secy&
Source: wscript.exe, 00000000.00000003.213260478.0000023C9D1E3000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: file.exe, 0000000A.00000002.470394784.0000000001316000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: file.exe, 0000000A.00000002.473021861.0000000003191000.00000004.00000001.sdmp Binary or memory string: l*Hyper-V Dynamic Memory Integration Service
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: wscript.exe, 00000000.00000002.215459586.0000023C9EE70000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: wscript.exe, 00000000.00000002.217300558.0000023C9F5B0000.00000002.00000001.sdmp, file.exe, 0000000A.00000002.478778610.0000000005FD0000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.478683812.0000000006380000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: name.exe, 00000004.00000002.251572904.0000000003551000.00000004.00000001.sdmp Binary or memory string: Xr#"SOFTWARE\VMware, Inc.\VMware ToolsH
Source: file.exe, 0000000A.00000002.473021861.0000000003191000.00000004.00000001.sdmp Binary or memory string: Hyper-V Hypervisor
Source: C:\Users\user\AppData\Local\Temp\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: file.exe.0.dr Jump to dropped file
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\name.exe Memory written: C:\Users\user\AppData\Local\Temp\name.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\file.exe 'C:\Users\user\AppData\Local\Temp\file.exe' Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\name.exe 'C:\Users\user\AppData\Local\Temp\name.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JkeJLChUI' /XML 'C:\Users\user\AppData\Local\Temp\tmpAD9.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Process created: C:\Users\user\AppData\Local\Temp\file.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LiydYED' /XML 'C:\Users\user\AppData\Local\Temp\tmpC12.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Process created: C:\Users\user\AppData\Local\Temp\name.exe {path} Jump to behavior
Source: file.exe, 0000000A.00000002.472816675.0000000001C80000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.474486275.00000000030CD000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: file.exe, 0000000A.00000002.472816675.0000000001C80000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.472036052.00000000016E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: file.exe, 0000000A.00000002.472816675.0000000001C80000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.472036052.00000000016E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: name.exe, 0000000B.00000002.474486275.00000000030CD000.00000004.00000001.sdmp Binary or memory string: Program Managerp
Source: file.exe, 0000000A.00000002.472816675.0000000001C80000.00000002.00000001.sdmp, name.exe, 0000000B.00000002.472036052.00000000016E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Users\user\AppData\Local\Temp\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file.exe Queries volume information: C:\Users\user\AppData\Local\Temp\file.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 4_2_05901382 GetUserNameA, 4_2_05901382
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Yara detected AsyncRAT
Source: Yara match File source: 00000003.00000002.256966112.00000000040F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.468822970.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7156, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6588, type: MEMORY
Source: Yara match File source: 3.2.file.exe.421ac70.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.file.exe.4238890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.file.exe.421ac70.3.raw.unpack, type: UNPACKEDPE

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 6612, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 800, type: MEMORY
Source: Yara match File source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: name.exe, 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: name.exe, 0000000B.00000002.477861276.0000000005590000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: name.exe, 0000000B.00000002.477861276.0000000005590000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 0000000B.00000002.476715022.0000000004087000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.468941603.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254692678.0000000004551000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.478086503.0000000005950000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 6612, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 800, type: MEMORY
Source: Yara match File source: 11.2.name.exe.5950000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.47d8c38.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.408e43c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.4092a65.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.408e43c.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.5950000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.48f8090.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.5954629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.47d8c38.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.name.exe.4089606.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.46d79c8.2.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_0534247A bind, 11_2_0534247A
Source: C:\Users\user\AppData\Local\Temp\name.exe Code function: 11_2_05342428 bind, 11_2_05342428
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411334 Sample: Invoice No F1019855_PDF.vbs Startdate: 11/05/2021 Architecture: WINDOWS Score: 100 46 sys2021.linkpc.net 2->46 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 9 other signatures 2->58 9 wscript.exe 3 2->9         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\Temp\name.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\Temp\file.exe, PE32 9->38 dropped 62 Benign windows process drops PE files 9->62 64 VBScript performs obfuscated calls to suspicious functions 9->64 13 name.exe 6 9->13         started        17 file.exe 6 9->17         started        signatures6 process7 file8 40 C:\Users\user\AppData\Roaming\LiydYED.exe, PE32 13->40 dropped 66 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->66 68 Injects a PE file into a foreign processes 13->68 19 name.exe 8 13->19         started        24 schtasks.exe 1 13->24         started        42 C:\Users\user\AppData\Local\Temp\tmpAD9.tmp, XML 17->42 dropped 44 C:\Users\user\AppData\Roaming\JkeJLChUI.exe, PE32 17->44 dropped 70 Uses schtasks.exe or at.exe to add and modify task schedules 17->70 26 file.exe 11 2 17->26         started        28 schtasks.exe 1 17->28         started        signatures9 process10 dnsIp11 48 sys2021.linkpc.net 87.98.245.48, 10090, 11940, 49725 OVHFR France 19->48 50 191.96.25.26, 11940, 49736, 49739 AS40676US Chile 19->50 34 C:\Users\user\AppData\Roaming\...\run.dat, data 19->34 dropped 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->60 30 conhost.exe 24->30         started        32 conhost.exe 28->32         started        file12 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
191.96.25.26
 unknown Chile
40676 AS40676US false
87.98.245.48
 sys2021.linkpc.net France
16276 OVHFR false

Contacted Domains

Name IP Active
sys2021.linkpc.net 87.98.245.48 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
sys2021.linkpc.net false
    		high