Play interactive tour

Edit tour

Analysis Report Invoice#06-11-2021_PDF.vbs

Overview

General Information

Sample Name:	Invoice#06-11-2021_PDF.vbs
Analysis ID:	433519
MD5:	fcc6014f7ee0539aead5f38b4fe5245e
SHA1:	2f006d44ad82ca71319a5bf615677016ff7e918b
SHA256:	699d670809bccdbbdb2ae85d80be86d6fd00586c56e0375df34527d4ec6045cf
Tags:	NanoCoreRATvbs
Infos:
Most interesting Screenshot:

Detection

Nanocore AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

VBScript performs obfuscated calls to suspicious functions

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 4804 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice#06-11-2021_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

file1.exe (PID: 5784 cmdline: 'C:\Users\user\AppData\Local\Temp\file1.exe' MD5: 07C82C84BAEC92953A270419C72D7F10)

schtasks.exe (PID: 5412 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HHyKJahmIz' /XML 'C:\Users\user\AppData\Local\Temp\tmpC46.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

file1.exe (PID: 4076 cmdline: {path} MD5: 07C82C84BAEC92953A270419C72D7F10)

2name.exe (PID: 5828 cmdline: 'C:\Users\user\AppData\Local\Temp\2name.exe' MD5: CF4CD927CCC626FB016D0E91CF6BD456)

2name.exe (PID: 5004 cmdline: {path} MD5: CF4CD927CCC626FB016D0E91CF6BD456)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c687c38e-2b2d-4d96-b5eb-9a31ccba", "Group": "Sys", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "result@jetport-aero.comNiniola@456mail.jetport-aero.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.479174515.0000000004334000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.479905732.0000000005680000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000015.00000002.479905732.0000000005680000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x132f35:$x1: NanoCore.ClientPluginHost 0x132f72:$x2: IClientNetworkHost 0x136aa5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x132c9d:$a: NanoCore 0x132cad:$a: NanoCore 0x132ee1:$a: NanoCore 0x132ef5:$a: NanoCore 0x132f35:$a: NanoCore 0x132cfc:$b: ClientPlugin 0x132efe:$b: ClientPlugin 0x132f3e:$b: ClientPlugin 0x132e23:$c: ProjectData 0x13382a:$d: DESCrypto 0x13b1f6:$e: KeepAlive 0x1391e4:$g: LogClientMessage 0x1353df:$i: get_Connected 0x133b60:$j: #=q 0x133b90:$j: #=q 0x133bac:$j: #=q 0x133bdc:$j: #=q 0x133bf8:$j: #=q 0x133c14:$j: #=q 0x133c44:$j: #=q 0x133c60:$j: #=q
00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa8045:$x1: NanoCore.ClientPluginHost 0xa8082:$x2: IClientNetworkHost 0xabbb5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa7dad:$a: NanoCore 0xa7dbd:$a: NanoCore 0xa7ff1:$a: NanoCore 0xa8005:$a: NanoCore 0xa8045:$a: NanoCore 0xa7e0c:$b: ClientPlugin 0xa800e:$b: ClientPlugin 0xa804e:$b: ClientPlugin 0xa7f33:$c: ProjectData 0xa893a:$d: DESCrypto 0xb0306:$e: KeepAlive 0xae2f4:$g: LogClientMessage 0xaa4ef:$i: get_Connected 0xa8c70:$j: #=q 0xa8ca0:$j: #=q 0xa8cbc:$j: #=q 0xa8cec:$j: #=q 0xa8d08:$j: #=q 0xa8d24:$j: #=q 0xa8d54:$j: #=q 0xa8d70:$j: #=q
00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000002.00000002.294907318.00000000038B1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.294907318.00000000038B1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000000.288308557.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000000.288308557.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: file1.exe PID: 4076	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1b532:$x1: NanoCore.ClientPluginHost 0x2c3a5:$x1: NanoCore.ClientPluginHost 0x40e8e:$x1: NanoCore.ClientPluginHost 0x7efe3:$x1: NanoCore.ClientPluginHost 0x17fd23:$x1: NanoCore.ClientPluginHost 0x1b169f:$x1: NanoCore.ClientPluginHost 0x1b577:$x2: IClientNetworkHost 0x2c3ea:$x2: IClientNetworkHost 0x40eef:$x2: IClientNetworkHost 0x7f009:$x2: IClientNetworkHost 0x17fd68:$x2: IClientNetworkHost 0x1b16c5:$x2: IClientNetworkHost 0x462f4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x54266:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: file1.exe PID: 4076	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: file1.exe PID: 4076	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b4ac:$a: NanoCore 0x1b4d9:$a: NanoCore 0x1b532:$a: NanoCore 0x22d41:$a: NanoCore 0x22d54:$a: NanoCore 0x22d86:$a: NanoCore 0x2c31f:$a: NanoCore 0x2c34c:$a: NanoCore 0x2c3a5:$a: NanoCore 0x33bb4:$a: NanoCore 0x33bc7:$a: NanoCore 0x33bf9:$a: NanoCore 0x40993:$a: NanoCore 0x409af:$a: NanoCore 0x40b0a:$a: NanoCore 0x40b19:$a: NanoCore 0x40df2:$a: NanoCore 0x40e1e:$a: NanoCore 0x40e8e:$a: NanoCore 0x508d0:$a: NanoCore 0x508e2:$a: NanoCore
Process Memory Space: file1.exe PID: 5784	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f9c35:$x1: NanoCore.ClientPluginHost 0x3f9c96:$x2: IClientNetworkHost 0x3ff09b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x40d00d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: file1.exe PID: 5784	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file1.exe PID: 5784	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: file1.exe PID: 5784	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3f973a:$a: NanoCore 0x3f9756:$a: NanoCore 0x3f98b1:$a: NanoCore 0x3f98c0:$a: NanoCore 0x3f9b99:$a: NanoCore 0x3f9bc5:$a: NanoCore 0x3f9c35:$a: NanoCore 0x409677:$a: NanoCore 0x409689:$a: NanoCore 0x4096c5:$a: NanoCore 0x3f97e1:$b: ClientPlugin 0x3f990a:$b: ClientPlugin 0x3f9bce:$b: ClientPlugin 0x3f9c3e:$b: ClientPlugin 0x409692:$b: ClientPlugin 0x4096ce:$b: ClientPlugin 0x387a51:$c: ProjectData 0x38891a:$c: ProjectData 0x3f9a57:$c: ProjectData 0x4095c4:$c: ProjectData 0x4b02f1:$c: ProjectData
Process Memory Space: 2name.exe PID: 5828	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 2name.exe PID: 5828	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 2name.exe PID: 5004	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 2name.exe PID: 5004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
21.2.file1.exe.4346f00.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
21.2.file1.exe.4346f00.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
21.2.file1.exe.4346f00.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.file1.exe.5680000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
21.2.file1.exe.5680000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
21.2.file1.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.file1.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.2.file1.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.file1.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.file1.exe.d3e8eb8.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.file1.exe.d3e8eb8.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.file1.exe.d3e8eb8.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.file1.exe.d3e8eb8.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.file1.exe.4346f00.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
21.2.file1.exe.4346f00.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
21.2.file1.exe.4346f00.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.file1.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.file1.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.file1.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.file1.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.file1.exe.434b529.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
21.2.file1.exe.434b529.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
21.2.file1.exe.434b529.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.2name.exe.ce83cb8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.2name.exe.ce83cb8.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
21.0.file1.exe.400000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.0.file1.exe.400000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.0.file1.exe.400000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.0.file1.exe.400000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.file1.exe.32f12e0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
21.2.file1.exe.32f12e0.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
16.2.2name.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.2name.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
21.2.file1.exe.5c00000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
21.2.file1.exe.5c00000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
21.2.file1.exe.5c00000.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.file1.exe.5c04629.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
21.2.file1.exe.5c04629.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
21.2.file1.exe.5c04629.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.2name.exe.ce83cb8.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.2name.exe.ce83cb8.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.file1.exe.d3e8eb8.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.file1.exe.d3e8eb8.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.file1.exe.d3e8eb8.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.file1.exe.d3e8eb8.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
1.2.file1.exe.3fbb588.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc89ad:$x1: NanoCore.ClientPluginHost 0xc89ea:$x2: IClientNetworkHost 0xcc51d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.file1.exe.3fbb588.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.file1.exe.3fbb588.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc8715:$a: NanoCore 0xc8725:$a: NanoCore 0xc8959:$a: NanoCore 0xc896d:$a: NanoCore 0xc89ad:$a: NanoCore 0xc8774:$b: ClientPlugin 0xc8976:$b: ClientPlugin 0xc89b6:$b: ClientPlugin 0xc889b:$c: ProjectData 0xc92a2:$d: DESCrypto 0xd0c6e:$e: KeepAlive 0xcec5c:$g: LogClientMessage 0xcae57:$i: get_Connected 0xc95d8:$j: #=q 0xc9608:$j: #=q 0xc9624:$j: #=q 0xc9654:$j: #=q 0xc9670:$j: #=q 0xc968c:$j: #=q 0xc96bc:$j: #=q 0xc96d8:$j: #=q
21.2.file1.exe.5c00000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
21.2.file1.exe.5c00000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
21.2.file1.exe.5c00000.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.0.2name.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.0.2name.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 48 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\file1.exe, ProcessId: 4076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\file1.exe, ProcessId: 4076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\file1.exe, ProcessId: 4076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\file1.exe, ProcessId: 4076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000015.00000002.479174515.0000000004334000.00000004.00000001.sdmp	Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c687c38e-2b2d-4d96-b5eb-9a31ccba", "Group": "Sys", "Domain1": "sys2021.linkpc.net", "Domain2": "", "Port": 11940, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Source: 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "result@jetport-aero.comNiniola@456mail.jetport-aero.com"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000015.00000002.479174515.0000000004334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file1.exe PID: 4076, type: MEMORY
Source: Yara match	File source: Process Memory Space: file1.exe PID: 5784, type: MEMORY
Source: Yara match	File source: 21.2.file1.exe.4346f00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.d3e8eb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.4346f00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.file1.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.434b529.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.file1.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c04629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.d3e8eb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.3fbb588.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c00000.11.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\HHyKJahmIz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Joe Sandbox ML: detected

Source: 21.2.file1.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.file1.exe.4346f00.5.unpack	Avira: Label: TR/NanoCore.fadte
Source: 21.0.file1.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.0.file1.exe.400000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 16.2.2name.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 21.2.file1.exe.5c00000.11.unpack	Avira: Label: TR/NanoCore.fadte
Source: 16.0.2name.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8

Source: C:\Users\user\AppData\Local\Temp\file1.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\fHUHYTcyNn\src\obj\Debug\Fojl.pdb source: file1.exe, HHyKJahmIz.exe.1.dr
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\BgZPfvXhjX\src\obj\Debug\ybwg.pdb source: 2name.exe, 2name.exe.0.dr
Source:	Binary string: mscorrc.pdb source: file1.exe, 00000001.00000002.306351221.0000000007090000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.301515455.0000000006520000.00000002.00000001.sdmp, 2name.exe, 00000010.00000002.481913869.0000000006450000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.480073860.00000000057B0000.00000002.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49731 -> 191.96.25.26:11940
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 191.96.25.26:11940
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 191.96.25.26:11940
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 191.96.25.26:11940
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 191.96.25.26:11940

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs:
Source: Malware configuration extractor	URLs: sys2021.linkpc.net

Source: global traffic	TCP traffic: 192.168.2.3:49723 -> 52.39.28.134:11940
Source: global traffic	TCP traffic: 192.168.2.3:49731 -> 191.96.25.26:11940
Source: global traffic	TCP traffic: 192.168.2.3:49736 -> 217.182.175.206:587

Source: Joe Sandbox View	IP Address: 191.96.25.26 191.96.25.26
Source: Joe Sandbox View	IP Address: 217.182.175.206 217.182.175.206

Source: Joe Sandbox View	ASN Name: AS40676US AS40676US
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: global traffic

TCP traffic: 192.168.2.3:49736 -> 217.182.175.206:587

Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26
Source: unknown	TCP traffic detected without corresponding DNS query: 191.96.25.26

Source: C:\Users\user\AppData\Local\Temp\file1.exe

Code function: 21_2_055E2936 WSARecv,

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Source: 2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: 2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: 2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: 2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: 2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: 2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, file1.exe, 00000001.00000003.208580143.00000000052BB000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	String found in binary or memory: http://gKSfZA.com
Source: 2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0/
Source: 2name.exe, 00000010.00000002.482412718.000000000760F000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0m
Source: 2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: 2name.exe, 00000002.00000003.215138787.0000000004D1E000.00000004.00000001.sdmp	String found in binary or memory: http://www.agfamonotype.
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 2name.exe, 00000002.00000003.210776108.0000000000D3D000.00000004.00000001.sdmp, 2name.exe, 00000002.00000003.211318733.0000000004D03000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: 2name.exe, 00000002.00000003.211273379.0000000004D0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comC
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 2name.exe, 00000002.00000003.210776108.0000000000D3D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 2name.exe, 00000002.00000003.212658288.0000000004D15000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frer
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: file1.exe, 00000001.00000002.294083787.0000000001147000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: 2name.exe, 00000002.00000002.297889020.0000000004D00000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comionu
Source: file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com8
Source: file1.exe, 00000001.00000003.208373034.00000000052BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: file1.exe, 00000001.00000003.209781217.00000000052A4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnk
Source: file1.exe, 00000001.00000003.213306168.00000000052DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: file1.exe, 00000001.00000003.213306168.00000000052DD000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/c
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, file1.exe, 00000001.00000003.213754536.00000000052A4000.00000004.00000001.sdmp, 2name.exe, 00000002.00000003.214409435.0000000004D19000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 2name.exe, 00000002.00000003.211507950.0000000004D03000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: 2name.exe, 00000002.00000003.211507950.0000000004D03000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/X
Source: 2name.exe, 00000002.00000003.211507950.0000000004D03000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 2name.exe, 00000002.00000003.211318733.0000000004D03000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/r
Source: 2name.exe, 00000002.00000003.211507950.0000000004D03000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: 2name.exe, 00000002.00000003.214932192.0000000004D0E000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp, file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com4
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000003.211690154.0000000004D17000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 2name.exe, 00000010.00000002.482412718.000000000760F000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.len
Source: 2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%(
Source: 2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: 2name.exe, 00000010.00000002.478136134.00000000033C3000.00000004.00000001.sdmp	String found in binary or memory: https://w5tNnUBgMNAftBN.net
Source: 2name.exe, 00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp, 2name.exe, 00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: 2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: file1.exe, 00000001.00000002.293733593.0000000000E99000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Local\Temp\2name.exe

Window created: window name: CLIPBRDWNDCLASS

Source: file1.exe, 00000015.00000002.479174515.0000000004334000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000015.00000002.479174515.0000000004334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file1.exe PID: 4076, type: MEMORY
Source: Yara match	File source: Process Memory Space: file1.exe PID: 5784, type: MEMORY
Source: Yara match	File source: 21.2.file1.exe.4346f00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.d3e8eb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.4346f00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.file1.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.434b529.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.file1.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c04629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.d3e8eb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.3fbb588.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c00000.11.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.479905732.0000000005680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: file1.exe PID: 4076, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: file1.exe PID: 4076, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: file1.exe PID: 5784, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: file1.exe PID: 5784, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.file1.exe.4346f00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.file1.exe.5680000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.file1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.file1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.file1.exe.d3e8eb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.file1.exe.d3e8eb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.file1.exe.4346f00.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.file1.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.file1.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.file1.exe.434b529.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.file1.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.0.file1.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.file1.exe.32f12e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.file1.exe.5c00000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.file1.exe.5c04629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.file1.exe.d3e8eb8.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.file1.exe.d3e8eb8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.file1.exe.3fbb588.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.file1.exe.3fbb588.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.file1.exe.5c00000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

.NET source code contains very large array initializations

Show sources

Source: 16.2.2name.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCC1C2456u002d206Cu002d47B2u002dB640u002d7A9D0A18E16Bu007d/B899F0BCu002d2DBBu002d4D46u002dA39Eu002dC38AFE9A69B6.cs	Large array initialization: .cctor: array initializer size 12097
Source: 16.0.2name.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bCC1C2456u002d206Cu002d47B2u002dB640u002d7A9D0A18E16Bu007d/B899F0BCu002d2DBBu002d4D46u002dA39Eu002dC38AFE9A69B6.cs	Large array initialization: .cctor: array initializer size 12097

.NET source code contains very large strings

Show sources

Source: file1.exe.0.dr, Util/Form1.cs	Long String: Length: 11840
Source: HHyKJahmIz.exe.1.dr, Util/Form1.cs	Long String: Length: 11840
Source: 1.0.file1.exe.5d0000.0.unpack, Util/Form1.cs	Long String: Length: 11840
Source: 1.2.file1.exe.5d0000.0.unpack, Util/Form1.cs	Long String: Length: 11840
Source: 2.0.2name.exe.190000.0.unpack, Util/Form1.cs	Long String: Length: 11840
Source: 2.2.2name.exe.190000.0.unpack, Util/Form1.cs	Long String: Length: 11840
Source: 16.0.2name.exe.a30000.2.unpack, Util/Form1.cs	Long String: Length: 11840
Source: 16.2.2name.exe.a30000.1.unpack, Util/Form1.cs	Long String: Length: 11840
Source: 16.0.2name.exe.a30000.0.unpack, Util/Form1.cs	Long String: Length: 11840

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_05153A6A NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_05153A39 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04BD27EE NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04BD27B4 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_055E116A NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_055E112F NtQuerySystemInformation,

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_010C2E09
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A95420
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A945A0
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A94EF9
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A91F08
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A91F18
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A92CE8
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A92CF8
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A95411
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A9458F
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02AD22C2
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B47EF9
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B44EC8
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B46C00
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4ED80
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B487E8
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B467C0
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4D130
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B47720
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B40128
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4C967
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B46148
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B476A6
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B476FE
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4C84E
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4D848
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4C649
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4DDAF
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4AD90
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4D591
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4B780
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4C78E
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4AD8A
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4DDE0
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4B530
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B46138
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4B320
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4B528
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4B311
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B40118
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B48309
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4B970
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4ED72
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02B4B77A
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_005D2050
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241D640
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02416C10
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02414ED8
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_024176E8
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241DAB8
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02416148
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02418710
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_024167D0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02417DE0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_024195A0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02417650
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02416C08
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241CE10
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241C81E
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02418220
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02418230
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241D630
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241B8C0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241B4C0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02414EC8
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241B2C8
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241B4D0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241B2D8
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241DAA8
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_024194B0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241B8BF
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02418700
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02410118
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241B718
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241B720
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241AD20
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241AD30
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02416138
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241A338
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02417DD1
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_0241CDDC
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04901E30
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04900070
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04903A97
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_049026B0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_049026C0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04901E21
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04903C70
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04903C6F
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_049041D0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_049041C1
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_00192050
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02411E9D
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 16_2_015F0CB0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 16_2_00A32050
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_054CAD38
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_054C8468
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_054C9068
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_054C2FA8
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_054C23A0
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_054C9910
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_054C912F
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_054C306F
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_00C42050

Source: Invoice#06-11-2021_PDF.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Users\user\AppData\Local\Temp\2name.exe

Section loaded: security.dll

Source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.479905732.0000000005680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.479905732.0000000005680000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: file1.exe PID: 4076, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: file1.exe PID: 4076, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: file1.exe PID: 5784, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: file1.exe PID: 5784, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.file1.exe.4346f00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.file1.exe.4346f00.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.file1.exe.5680000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.file1.exe.5680000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.file1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.file1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.file1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.file1.exe.d3e8eb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.file1.exe.d3e8eb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.file1.exe.d3e8eb8.9.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.file1.exe.4346f00.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.file1.exe.4346f00.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.0.file1.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.file1.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.0.file1.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.file1.exe.434b529.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.file1.exe.434b529.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.0.file1.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.0.file1.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.0.file1.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.file1.exe.32f12e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.file1.exe.32f12e0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.file1.exe.5c00000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.file1.exe.5c00000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.file1.exe.5c04629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.file1.exe.5c04629.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.file1.exe.d3e8eb8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.file1.exe.d3e8eb8.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.file1.exe.d3e8eb8.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.file1.exe.3fbb588.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.file1.exe.3fbb588.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.file1.exe.5c00000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.file1.exe.5c00000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file1.exe.0.dr, Util/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: HHyKJahmIz.exe.1.dr, Util/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.file1.exe.5d0000.0.unpack, Util/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.file1.exe.5d0000.0.unpack, Util/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.2name.exe.190000.0.unpack, Util/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.2name.exe.190000.0.unpack, Util/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winVBS@12/8@5/3

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_051534BA AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_05153483 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04BD271E AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_04BD26E7 AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_055E0F2A AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_055E0EF3 AdjustTokenPrivileges,

Source: C:\Users\user\AppData\Local\Temp\file1.exe

File created: C:\Users\user\AppData\Roaming\HHyKJahmIz.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2name.exe	Mutant created: \Sessions\1\BaseNamedObjects\QUEliPPQLXYqEIejkDjxjhpJy
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c687c38e-2b2d-4d96-b5eb-9a31ccba603d}
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Mutant created: \Sessions\1\BaseNamedObjects\XwcfCsvtCuqlwxDKlK

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\file1.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice#06-11-2021_PDF.vbs'

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\AppData\Local\Temp\2name.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\2name.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\2name.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2name.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice#06-11-2021_PDF.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\2name.exe 'C:\Users\user\AppData\Local\Temp\2name.exe'
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process created: C:\Users\user\AppData\Local\Temp\2name.exe {path}
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HHyKJahmIz' /XML 'C:\Users\user\AppData\Local\Temp\tmpC46.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process created: C:\Users\user\AppData\Local\Temp\file1.exe {path}
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\2name.exe 'C:\Users\user\AppData\Local\Temp\2name.exe'
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HHyKJahmIz' /XML 'C:\Users\user\AppData\Local\Temp\tmpC46.tmp'
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process created: C:\Users\user\AppData\Local\Temp\file1.exe {path}
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process created: C:\Users\user\AppData\Local\Temp\2name.exe {path}

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\file1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: Invoice#06-11-2021_PDF.vbs

Static file information: File size 2064477 > 1048576

Source: C:\Users\user\AppData\Local\Temp\file1.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\fHUHYTcyNn\src\obj\Debug\Fojl.pdb source: file1.exe, HHyKJahmIz.exe.1.dr
Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\BgZPfvXhjX\src\obj\Debug\ybwg.pdb source: 2name.exe, 2name.exe.0.dr
Source:	Binary string: mscorrc.pdb source: file1.exe, 00000001.00000002.306351221.0000000007090000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.301515455.0000000006520000.00000002.00000001.sdmp, 2name.exe, 00000010.00000002.481913869.0000000006450000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.480073860.00000000057B0000.00000002.00000001.sdmp

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\file1.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAG0PvmAAAAAAAAAAAOAAAgELATAAAIALAAAIAAAAAAAA6p4");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\file1.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOUQvmAAAAAAAAAAAOAAAgELATAAAAoLAAAIAAAAAAAAwig");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\2name.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\file1.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\2name.exe")

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: file1.exe.0.dr, Util/Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: HHyKJahmIz.exe.1.dr, Util/Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 1.0.file1.exe.5d0000.0.unpack, Util/Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 1.2.file1.exe.5d0000.0.unpack, Util/Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 2.0.2name.exe.190000.0.unpack, Util/Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 2.2.2name.exe.190000.0.unpack, Util/Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 16.0.2name.exe.a30000.2.unpack, Util/Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 16.2.2name.exe.a30000.1.unpack, Util/Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 16.0.2name.exe.a30000.0.unpack, Util/Form1.cs	.Net Code: LateBinding.LateCall(V_1, null, "Invoke", new object[] { 0, V_0 }, null, null)

.NET source code contains potential unpacker

Show sources

Source: file1.exe.0.dr, Util/Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: HHyKJahmIz.exe.1.dr, Util/Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.file1.exe.5d0000.0.unpack, Util/Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.file1.exe.5d0000.0.unpack, Util/Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.2name.exe.190000.0.unpack, Util/Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.2name.exe.190000.0.unpack, Util/Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.2name.exe.a30000.2.unpack, Util/Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.2name.exe.a30000.1.unpack, Util/Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.0.2name.exe.a30000.0.unpack, Util/Form1.cs	.Net Code: I_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_010C7ACB push 5C010C7Eh; ret
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A312A2 push esp; iretd
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 1_2_02A93B49 pushad ; retf
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 2_2_02418AAE push esi; iretd
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 16_2_05CD41E8 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 16_2_05CD4175 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Code function: 16_2_05CD425C push cs; retf
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_015EABD8 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_015EAAEF push cs; retf
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_015EAB63 push cs; retf
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_015E9D30 pushad ; retf
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_015E9D2C push eax; retf

Source: initial sample	Static PE information: section name: .text entropy: 7.50207459163
Source: initial sample	Static PE information: section name: .text entropy: 7.50207459163

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\file1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\file1.exe	File created: C:\Users\user\AppData\Roaming\HHyKJahmIz.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\2name.exe	Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\AppData\Local\Temp\file1.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HHyKJahmIz' /XML 'C:\Users\user\AppData\Local\Temp\tmpC46.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\file1.exe

File opened: C:\Users\user\AppData\Local\Temp\file1.exe:Zone.Identifier read attributes | delete

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: Process Memory Space: file1.exe PID: 5784, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2name.exe PID: 5828, type: MEMORY

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Show sources

Source: C:\Users\user\AppData\Local\Temp\2name.exe

Function Chain: threadDelayed,memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,processSet,processSet,memAlloc

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\2name.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\2name.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\file1.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\2name.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: file1.exe, 00000001.00000002.295261844.0000000002F51000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file1.exe, 00000001.00000002.295499001.0000000002FA5000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.293280762.0000000002905000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\2name.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\file1.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\2name.exe	Window / User API: threadDelayed 358
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Window / User API: threadDelayed 358
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Window / User API: foregroundWindowGot 696

Source: C:\Users\user\AppData\Local\Temp\file1.exe TID: 5812	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\2name.exe TID: 5272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\2name.exe TID: 5272	Thread sleep count: 358 > 30
Source: C:\Users\user\AppData\Local\Temp\2name.exe TID: 5272	Thread sleep time: -10740000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\2name.exe TID: 5272	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\2name.exe TID: 4620	Thread sleep count: 114 > 30
Source: C:\Users\user\AppData\Local\Temp\2name.exe TID: 5272	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\file1.exe TID: 1872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\file1.exe TID: 1872	Thread sleep count: 97 > 30
Source: C:\Users\user\AppData\Local\Temp\file1.exe TID: 1872	Thread sleep count: 180 > 30
Source: C:\Users\user\AppData\Local\Temp\file1.exe TID: 1632	Thread sleep count: 358 > 30
Source: C:\Users\user\AppData\Local\Temp\file1.exe TID: 4144	Thread sleep time: -120000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\2name.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\2name.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\2name.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\file1.exe

Code function: 21_2_055E0BB6 GetSystemInfo,

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Thread delayed: delay time: 922337203685477

Source: 2name.exe, 00000002.00000002.291497957.0000000000932000.00000004.00000020.sdmp	Binary or memory string: VMware
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware Tools
Source: wscript.exe, 00000000.00000002.211623017.0000019EB28A0000.00000002.00000001.sdmp, 2name.exe, 00000010.00000002.480786850.0000000005A40000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.472979252.0000000001390000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: krA"SOFTWARE\VMware, Inc.\VMware Tools
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: file1.exe, 00000001.00000002.293875714.0000000000F40000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
Source: 2name.exe, 00000002.00000002.293280762.0000000002905000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: wscript.exe, 00000000.00000002.211623017.0000019EB28A0000.00000002.00000001.sdmp, 2name.exe, 00000010.00000002.480786850.0000000005A40000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.472979252.0000000001390000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: kr#"SOFTWARE\VMware, Inc.\VMware T
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 2name.exe, 00000002.00000002.293280762.0000000002905000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 2name.exe, 00000010.00000002.472619291.000000000120A000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000000.00000003.199257789.0000019EB0190000.00000004.00000001.sdmp, Invoice#06-11-2021_PDF.vbs	Binary or memory string: 'PywLQqLQJgRpHhwTuIPzMzmJNdILTuqemuOCGvnLgvycNPhSeUypXFXPLnymiAxOqnCMStMzUESRBKvxvpgywAGhXzqTxBcgxkmaNUAkIyUTmFOBsAqsTySpgVpSDtCTbmTRYVkaowqxfnuRkpbwKjMySwtrfhhOwBrAmxcWPPEXIUJtaXiNRFIrZUybcsvHObBevufnNEhufpqxmzRHzUwqsAaSyBuWUwIhTfxfsuANYNLkeBocbnHteKlvUMpMJLaigJdHCmPEUjSepqowMSvgpOCJtCLfFnDMncDVYhZoYCZurGGe
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: kr87HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools\.
Source: 2name.exe, 00000002.00000002.291497957.0000000000932000.00000004.00000020.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareULWRT6SEWin32_VideoControllerR3PNAUW9VideoController120060621000000.000000-000.8355.36display.infMSBDAHH3KYOFKPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsP9_R1FNA
Source: wscript.exe, 00000000.00000003.208113503.0000019EB0303000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Te
Source: wscript.exe, 00000000.00000002.211623017.0000019EB28A0000.00000002.00000001.sdmp, 2name.exe, 00000010.00000002.480786850.0000000005A40000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.472979252.0000000001390000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 2name.exe, 00000002.00000002.293211794.00000000028B1000.00000004.00000001.sdmp	Binary or memory string: kr&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 2name.exe, 00000010.00000002.472266625.00000000011C5000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW\user\AppData
Source: wscript.exe, 00000000.00000002.211623017.0000019EB28A0000.00000002.00000001.sdmp, 2name.exe, 00000010.00000002.480786850.0000000005A40000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.472979252.0000000001390000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\2name.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\file1.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: file1.exe.0.dr

Jump to dropped file

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Memory written: C:\Users\user\AppData\Local\Temp\file1.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Memory written: C:\Users\user\AppData\Local\Temp\2name.exe base: 400000 value starts with: 4D5A

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\2name.exe 'C:\Users\user\AppData\Local\Temp\2name.exe'
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HHyKJahmIz' /XML 'C:\Users\user\AppData\Local\Temp\tmpC46.tmp'
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process created: C:\Users\user\AppData\Local\Temp\file1.exe {path}
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Process created: C:\Users\user\AppData\Local\Temp\2name.exe {path}

Source: 2name.exe, 00000010.00000002.473284128.00000000019A0000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.478984114.000000000345E000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: 2name.exe, 00000010.00000002.473284128.00000000019A0000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.473894557.00000000019F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 2name.exe, 00000010.00000002.473284128.00000000019A0000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.473894557.00000000019F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 2name.exe, 00000010.00000002.473284128.00000000019A0000.00000002.00000001.sdmp, file1.exe, 00000015.00000002.473894557.00000000019F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: file1.exe, 00000015.00000002.478915985.0000000003400000.00000004.00000001.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2name.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\file1.exe

Code function: 1_2_05152102 GetUserNameA,

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.294907318.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.288308557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.2name.exe.ce83cb8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.2name.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2name.exe.ce83cb8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2name.exe.400000.1.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.294907318.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.288308557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2name.exe PID: 5828, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2name.exe PID: 5004, type: MEMORY
Source: Yara match	File source: 2.2.2name.exe.ce83cb8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.2name.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2name.exe.ce83cb8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2name.exe.400000.1.unpack, type: UNPACKEDPE

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000015.00000002.479174515.0000000004334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file1.exe PID: 4076, type: MEMORY
Source: Yara match	File source: Process Memory Space: file1.exe PID: 5784, type: MEMORY
Source: Yara match	File source: 21.2.file1.exe.4346f00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.d3e8eb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.4346f00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.file1.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.434b529.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.file1.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c04629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.d3e8eb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.3fbb588.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c00000.11.unpack, type: UNPACKEDPE

Source: Yara match	File source: 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2name.exe PID: 5004, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: file1.exe, 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: file1.exe, 00000015.00000002.479174515.0000000004334000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: file1.exe, 00000015.00000002.479905732.0000000005680000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.294907318.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.288308557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.2name.exe.ce83cb8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.2name.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2name.exe.ce83cb8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2name.exe.400000.1.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.294907318.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.288308557.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2name.exe PID: 5828, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2name.exe PID: 5004, type: MEMORY
Source: Yara match	File source: 2.2.2name.exe.ce83cb8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.2name.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.2name.exe.ce83cb8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.2name.exe.400000.1.unpack, type: UNPACKEDPE

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000015.00000002.479174515.0000000004334000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file1.exe PID: 4076, type: MEMORY
Source: Yara match	File source: Process Memory Space: file1.exe PID: 5784, type: MEMORY
Source: Yara match	File source: 21.2.file1.exe.4346f00.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.d3e8eb8.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.4346f00.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.file1.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.434b529.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.file1.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c00000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c04629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.d3e8eb8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.file1.exe.3fbb588.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.file1.exe.5c00000.11.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_055E247A bind,
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 21_2_055E2428 bind,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation311	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	Input Capture21	Account Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	Scheduled Task/Job1	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Input Capture21	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Process Injection112	Scripting121	Security Account Manager	System Information Discovery114	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution1	Logon Script (Mac)	Scheduled Task/Job1	Obfuscated Files or Information3	NTDS	Query Registry1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Scheduled Task/Job1	Network Logon Script	Network Logon Script	Software Packing22	LSA Secrets	Security Software Discovery321	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol1	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol111	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Virtualization/Sandbox Evasion241	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion241	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection112	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\HHyKJahmIz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\file1.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2name.exe	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
21.2.file1.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.2.file1.exe.4346f00.5.unpack	100%	Avira	TR/NanoCore.fadte	Download File
21.0.file1.exe.400000.1.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
21.0.file1.exe.400000.3.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
16.2.2name.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
21.2.file1.exe.5c00000.11.unpack	100%	Avira	TR/NanoCore.fadte	Download File
16.0.2name.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

Source	Detection	Scanner	Label	Link
clientconfig.passport.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.carterandcone.comn-u	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.sajatypeworks.com4	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/Y0/X	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://r3.i.lencr.org/0/	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.fonts.comic	0%	URL Reputation	safe
http://www.founder.com.cn/cnk	0%	Avira URL Cloud	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://www.carterandcone.comC	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://gKSfZA.com	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.fontbureau.comgrito	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.galapagosdesign.com/c	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://x1.i.len	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://www.agfamonotype.	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sys2021.linkpc.net	52.39.28.134	true	false		high
jetport-aero.com	217.182.175.206	true	true		unknown
mail.jetport-aero.com	unknown	unknown	true		unknown
clientconfig.passport.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	low
sys2021.linkpc.net	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comn-u	2name.exe, 00000002.00000003.210776108.0000000000D3D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com4	file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false		high
http://www.tiro.com	2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	2name.exe, 00000002.00000003.210776108.0000000000D3D000.00000004.00000001.sdmp, 2name.exe, 00000002.00000003.211318733.0000000004D03000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/Y0/X	2name.exe, 00000002.00000003.211507950.0000000004D03000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp, file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.i.lencr.org/0/	2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, file1.exe, 00000001.00000003.213754536.00000000052A4000.00000004.00000001.sdmp, 2name.exe, 00000002.00000003.214409435.0000000004D19000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, file1.exe, 00000001.00000003.208580143.00000000052BB000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comic	file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnk	file1.exe, 00000001.00000003.209781217.00000000052A4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comC	2name.exe, 00000002.00000003.211273379.0000000004D0D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://x1.c.lencr.org/0	2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://x1.i.lencr.org/0	2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://gKSfZA.com	2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.o.lencr.org0	2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comn	file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comgrito	file1.exe, 00000001.00000002.294083787.0000000001147000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%GETMozilla/5.0	2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/c	file1.exe, 00000001.00000003.213306168.00000000052DD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000003.211690154.0000000004D17000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	2name.exe, 00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp, 2name.exe, 00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://x1.i.len	2name.exe, 00000010.00000002.482412718.000000000760F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.root-x1.letsencrypt.org0	2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.298084668.0000000004E70000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/	file1.exe, 00000001.00000003.213306168.00000000052DD000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://DynDns.comDynDNS	2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comc	file1.exe, 00000001.00000003.208373034.00000000052BB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.agfamonotype.	2name.exe, 00000002.00000003.215138787.0000000004D1E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://cps.letsencrypt.org0	2name.exe, 00000010.00000002.482353717.00000000075D0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.ipify.org%(	2name.exe, 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/A	2name.exe, 00000002.00000003.211507950.0000000004D03000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	2name.exe, 00000002.00000003.211507950.0000000004D03000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frer	2name.exe, 00000002.00000003.212658288.0000000004D15000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false		high
http://r3.i.lencr.org/0m	2name.exe, 00000010.00000002.482412718.000000000760F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/s	2name.exe, 00000002.00000003.211507950.0000000004D03000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/r	2name.exe, 00000002.00000003.211318733.0000000004D03000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.monotype.	2name.exe, 00000002.00000003.214932192.0000000004D0E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	file1.exe, 00000001.00000002.303254144.0000000006532000.00000004.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	file1.exe, 00000001.00000002.298962464.0000000005410000.00000002.00000001.sdmp, 2name.exe, 00000002.00000002.299542442.0000000005F02000.00000004.00000001.sdmp	false		high
http://www.fontbureau.comionu	2name.exe, 00000002.00000002.297889020.0000000004D00000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://w5tNnUBgMNAftBN.net	2name.exe, 00000010.00000002.478136134.00000000033C3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com8	file1.exe, 00000001.00000003.208338149.00000000052BB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
191.96.25.26	unknown	Chile	40676	AS40676US	true
52.39.28.134	sys2021.linkpc.net	United States	16509	AMAZON-02US	false
217.182.175.206	jetport-aero.com	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433519
Start date:	12.06.2021
Start time:	08:07:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Invoice#06-11-2021_PDF.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@12/8@5/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, wermgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 84.53.167.113, 2.17.179.193, 20.190.160.129, 20.190.160.132, 20.190.160.69, 20.190.160.134, 20.190.160.2, 20.190.160.4, 20.190.160.67, 20.190.160.73, 93.184.220.29, 88.221.62.148, 92.123.150.225, 23.218.209.198, 204.79.197.200, 13.107.21.200, 20.50.102.62, 23.218.208.56, 92.122.145.220, 13.107.42.23, 13.107.5.88, 20.82.210.154, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, www.tm.lg.prod.aadmsa.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, cdn.onenote.net.edgekey.net, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, www.bing.com, fs.microsoft.com, afdo-tas-offload.trafficmanager.net, dual-a-0001.a-msedge.net, www.tm.a.prd.aadg.akadns.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, ocos-office365-s2s.msedge.net, client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, e15275.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, l-0014.config.skype.com, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, msagfx.live.com-6.edgekey.net, e12564.dspb.akamaiedge.net, authgfx.msa.akadns6.net, go.microsoft.com, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, storeedgefd.dsx.mp.microsoft.com, skypedataprdcolwus17.cloudapp.net, tile-service.weather.microsoft.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, go.microsoft.com.edgekey.net, e16646.dscg.akamaiedge.net, l-0014.l-msedge.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:08:52	API Interceptor	662x Sleep call for process: file1.exe modified
08:08:56	API Interceptor	658x Sleep call for process: 2name.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
191.96.25.26	Invoice Payment_PDF.vbs	Get hash	malicious	Browse
	Invoice for B1019855_PDF.vbs	Get hash	malicious	Browse
	02_extracted.exe	Get hash	malicious	Browse
	Invoice No B1019855_PDF.vbs	Get hash	malicious	Browse
	02_extracted.exe	Get hash	malicious	Browse
	03_extracted.exe	Get hash	malicious	Browse
	Invoice No F1019855_PDF.vbs	Get hash	malicious	Browse
	Invoice No F1019855_PDF.vbs	Get hash	malicious	Browse
	Spec_PDF.vbs	Get hash	malicious	Browse
	SpecPDF.vbs	Get hash	malicious	Browse
52.39.28.134	02_extracted.exe	Get hash	malicious	Browse
217.182.175.206	Invoice Payment_PDF.vbs	Get hash	malicious	Browse
	Invoice for B1019855_PDF.vbs	Get hash	malicious	Browse
	01_extracted.exe	Get hash	malicious	Browse
	Invoice No B1019855_PDF.vbs	Get hash	malicious	Browse
	9e7d034c_by_Libranalysis.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.VB.Trojan.Valyria.4579.10155.xlsm	Get hash	malicious	Browse
	SecuriteInfo.com.VB.Trojan.Valyria.4579.10155.xlsm	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
sys2021.linkpc.net	Invoice Payment_PDF.vbs	Get hash	malicious	Browse	51.178.229.162
	Invoice for B1019855_PDF.vbs	Get hash	malicious	Browse	51.178.229.162
	02_extracted.exe	Get hash	malicious	Browse	52.39.28.134
	Invoice No B1019855_PDF.vbs	Get hash	malicious	Browse	51.210.201.99
	01_extracted.exe	Get hash	malicious	Browse	46.105.77.230
	02_extracted.exe	Get hash	malicious	Browse	46.105.77.230
	02_extracted.exe	Get hash	malicious	Browse	79.137.109.121
	03_extracted.exe	Get hash	malicious	Browse	79.137.109.121
	Invoice No F1019855_PDF.vbs	Get hash	malicious	Browse	87.98.245.48
	Invoice No F1019855_PDF.vbs	Get hash	malicious	Browse	79.137.109.121
	Spec_PDF.vbs	Get hash	malicious	Browse	105.112.11.245
	SpecPDF.vbs	Get hash	malicious	Browse	179.43.166.32

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OVHFR	JHSkaPIXXA.exe	Get hash	malicious	Browse	51.254.187.177
	CBI8Rv3xZ7.dll	Get hash	malicious	Browse	51.77.82.110
	hcTYYoyYOS.dll	Get hash	malicious	Browse	51.77.82.110
	CBI8Rv3xZ7.dll	Get hash	malicious	Browse	51.77.82.110
	hcTYYoyYOS.dll	Get hash	malicious	Browse	51.77.82.110
	Purchase_Order.exe	Get hash	malicious	Browse	213.186.33.5
	ORDER-21611docx.exe	Get hash	malicious	Browse	87.98.245.48
	s6ljEIsdF3.exe	Get hash	malicious	Browse	176.31.95.228
	hb5swSGLBT.exe	Get hash	malicious	Browse	176.31.95.228
	CM0Q30sK3K.exe	Get hash	malicious	Browse	176.31.95.228
	zIrx1wUddJ.exe	Get hash	malicious	Browse	144.217.14.109
	8qdfmqz1PN.exe	Get hash	malicious	Browse	51.222.56.151
	New Order PO2193570O1.doc	Get hash	malicious	Browse	51.222.56.151
	New Order PO2193570O1.pdf.exe	Get hash	malicious	Browse	51.222.56.151
	Request For Quote.exe	Get hash	malicious	Browse	158.69.138.23
	payload.html	Get hash	malicious	Browse	145.239.131.60
	6VYNUalwUt.exe	Get hash	malicious	Browse	178.33.222.241
	New Inquiry.exe	Get hash	malicious	Browse	158.69.138.23
	New Order TL273723734533.pdf.exe	Get hash	malicious	Browse	51.222.56.151
	Requestforquote.exe	Get hash	malicious	Browse	158.69.138.23
AMAZON-02US	CIGi9PIHbu.exe	Get hash	malicious	Browse	3.18.3.168
	research-1234799369.xlsb	Get hash	malicious	Browse	52.220.160.98
	microsoft office 2007 service pack 2.exe	Get hash	malicious	Browse	13.248.148.254
	ws8W4yPAvg.exe	Get hash	malicious	Browse	3.22.15.135
	UOMp9cDcqZ.exe	Get hash	malicious	Browse	52.58.78.16
	OrderKLB210568.exe	Get hash	malicious	Browse	34.215.126.147
	q7jxy6gZMb.exe	Get hash	malicious	Browse	104.192.141.1
	b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exe	Get hash	malicious	Browse	52.219.158.14
	8BDBD0yy0q.apk	Get hash	malicious	Browse	52.17.153.103
	8BDBD0yy0q.apk	Get hash	malicious	Browse	13.224.195.88
	ehDnx4Ke5d.exe	Get hash	malicious	Browse	3.22.15.135
	KY4cmAI0jU.exe	Get hash	malicious	Browse	3.34.12.41
	c71fd2gJus.exe	Get hash	malicious	Browse	52.219.64.3
	XQehPgTn35.exe	Get hash	malicious	Browse	3.136.65.236
	E1a92ARmPw.exe	Get hash	malicious	Browse	35.157.179.180
	crt9O3URua.exe	Get hash	malicious	Browse	35.157.179.180
	E1a92ARmPw.exe	Get hash	malicious	Browse	52.218.105.219
	DNPr7t0GMY.exe	Get hash	malicious	Browse	13.59.53.244
	lTAPQJikGw.exe	Get hash	malicious	Browse	99.83.154.118
	SKlGhwkzTi.exe	Get hash	malicious	Browse	44.227.65.245
AS40676US	lTAPQJikGw.exe	Get hash	malicious	Browse	172.107.55.6
	KI91QtYDef.exe	Get hash	malicious	Browse	104.217.8.109
	quotation zip.exe	Get hash	malicious	Browse	185.215.224.53
	template-jn02b3.dot	Get hash	malicious	Browse	207.231.106.130
	y31Lwif2sE.lnk	Get hash	malicious	Browse	45.61.138.207
	MJH.exe	Get hash	malicious	Browse	46.243.207.43
	Swift copy_9808.exe	Get hash	malicious	Browse	104.217.141.243
	Document_46161561.xls	Get hash	malicious	Browse	107.160.244.54
	ICNdIx3GY1.exe	Get hash	malicious	Browse	104.217.8.122
	SecuriteInfo.com.WinGo.GoCLR.A.24820.exe	Get hash	malicious	Browse	45.61.136.223
	cb5b3ec1be5f432cec70fbea8d525210ef25570b56fba.exe	Get hash	malicious	Browse	104.217.8.122
	1VdxXmBPdY.exe	Get hash	malicious	Browse	104.217.8.122
	62lNIwplP8.exe	Get hash	malicious	Browse	45.61.136.223
	iBpCEHz2q4.exe	Get hash	malicious	Browse	104.217.8.122
	Invoice Payment_PDF.vbs	Get hash	malicious	Browse	191.96.25.26
	Y8bZnrFXSo.exe	Get hash	malicious	Browse	104.217.8.122
	ZqdsbHIY5d.exe	Get hash	malicious	Browse	104.217.8.122
	wfIHlX06iC.exe	Get hash	malicious	Browse	104.217.8.122
	ftl1MRlCZu.exe	Get hash	malicious	Browse	104.217.8.122
	Fki4Q91Cvm.exe	Get hash	malicious	Browse	104.217.8.122

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\2name.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\2name.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	655
Entropy (8bit):	5.273171405160065
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9t0U2WUXBQav:MLF20NaL329hJ5g522rWz2p29XBT
MD5:	2703120C370FBB4A8BA08C6D1754039E
SHA1:	EC0DB47BF00A4A828F796147619386C0BBEA66A1
SHA-256:	F95566974BC44F3A757CAFB1456D185D8F333AC84775089DE18310B90C18B1BC
SHA-512:	BC05A2A1BE5B122FC6D3DEA66EF4258522F13351B9754378395AAD019631E312CFD3BC990F3E3D5C7BB0BDBA1EAD54A2B34A96DEE2FCCD703721E98F6192ED48
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\file1.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\file1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	655
Entropy (8bit):	5.273171405160065
Encrypted:	false
SSDEEP:	12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9t0U2WUXBQav:MLF20NaL329hJ5g522rWz2p29XBT
MD5:	2703120C370FBB4A8BA08C6D1754039E
SHA1:	EC0DB47BF00A4A828F796147619386C0BBEA66A1
SHA-256:	F95566974BC44F3A757CAFB1456D185D8F333AC84775089DE18310B90C18B1BC
SHA-512:	BC05A2A1BE5B122FC6D3DEA66EF4258522F13351B9754378395AAD019631E312CFD3BC990F3E3D5C7BB0BDBA1EAD54A2B34A96DEE2FCCD703721E98F6192ED48
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..

C:\Users\user\AppData\Local\Temp\2name.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	726016
Entropy (8bit):	7.460683048230593
Encrypted:	false
SSDEEP:	12288:s4Vk+Co34f3xqyPOdN7CEd6ytjAzYhoWtaGiVXRwO:sUCo34gyWdN7H6SDzAjJRwO
MD5:	CF4CD927CCC626FB016D0E91CF6BD456
SHA1:	16C9EA9C6050EC976537ADE42C5C049F7AF2599B
SHA-256:	03D512E79C0748CC83D5BCB4B8847534D7E81D929DAB496727ACBEEC1A5FD694
SHA-512:	422F85A2D020E87D9936668C3D4863C49503FD62070BD6A80B5334FBAA77A55C4095FB53AAB2015498133FAD3FF65CC98090A6C012D9B2F325702016BB51D215
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............0..............(... ...@....@.. ....................................@.................................p(..O....@.......................`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......D...,)..........p,................................................r...p}......}.....(.......(.......0............{....o....r[..p(....-\.{....o....r[..p(....-E.{....o....r[..p(....-..{....o....r[..p(....-..{....o....r[..p(....+....,..r]..p(....&+....(..........0..+.........,..{.......+....,...{....o........(.......0..N.............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s

C:\Users\user\AppData\Local\Temp\file1.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	756224
Entropy (8bit):	7.493608714130465
Encrypted:	false
SSDEEP:	12288:S42kl8+drZTnwWp/OdrFYU+8hs3pVo1f9majwN9DLHvBYWSsVWSy:SY8+drZrp2d6P3pVo1vydrvBYeV9
MD5:	07C82C84BAEC92953A270419C72D7F10
SHA1:	DB68FCB828195BC4556E8A4725BA1BF5057A7C56
SHA-256:	074EE7EF8958EA94C8E5B35D87DAE1B8CFBA9FAF46FB15D61C740FBFD600D758
SHA-512:	C70D0AE16A4BDF285DF963B3E80A0737DD7AD9D5B5A82EFFCBA5CF274E1CC96C3B2607D1AFE26AB8E86788C0FA5E7AE903743D70EDDA7F2DFE8EA8DCCEFE5F2F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m..`..............0................. ........@.. ....................................@.....................................O...................................`................................................ ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......D...4)..........x,...p............................................r...p}......}.....(.......(.......0............{....o....r[..p(....-\.{....o....r[..p(....-E.{....o....r[..p(....-..{....o....r[..p(....-..{....o....r[..p(....+....,..r]..p(....&+....(..........0..+.........,..{.......+....,...{....o........(.......0..N.............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s

C:\Users\user\AppData\Local\Temp\tmpC46.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\file1.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1643
Entropy (8bit):	5.193758749843159
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgtn:cbh47TlNQ//rydbz9I3YODOLNdq3c
MD5:	65835A3FDB40FADC683FF7C737DD45B8
SHA1:	B4F8BAC9E41E723EB171ABC7395CC19A318BE781
SHA-256:	5732AC8EE9ECD64FAE6A998D5BBEB68E9B06309DE048562B5394AAAF49131B76
SHA-512:	18A61873F4520F2C61A1289C23797D9DD5BFC4481E4F89016AC77981FA3DA6D90DAF821DB2154607B9444DF3D15919E442798DB15F5A2DB5F8B921928D51D97B
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\file1.exe
File Type:	data
Category:	dropped
Size (bytes):	696
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	12:X4LEnybgCF0uCYKZr+dLEnybgCF0uCYKZr+dLEnybgCF0uCYKZr+K:IQnybgC4jh+dQnybgC4jh+dQnybgC4jp
MD5:	AF6AA7C823112E2342E8D98BE5EDE0A9
SHA1:	D48CA92F4FA11CC9619185563F2D57A6099D21D0
SHA-256:	8D2ACD0CB78A2C690E2DCA1E9C92D273DAF4804DF0B4AC55E14D120C96F7671D
SHA-512:	B822403E85339F4FF2D88608D73DA75A149756FF44454386E1EB2451A6CCCE0F65ECA596F95BBBAD942C963F8C4CA2ADE582D6E50750596DB263BA879FB3ECE1
Malicious:	false
Reputation:	low
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\file1.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:bs8t:5t
MD5:	40198B97616273D9646AB6202B43D7C2
SHA1:	873C0C9A032CA79138FEE4AC197D6C360185D6BC
SHA-256:	43F580A134F143DE82F8BA52CEB9736322D918D3C987B56643DC64308B992B6A
SHA-512:	2CB67B647EA406E4E68BDE03B742CEE25CF88B27EB3D9610B5666B836D4BD4579D5D7FB9F4BB41FBB9751F56D0F4405C4A625ADA36E72D6447ED9F73C09309BA
Malicious:	true
Reputation:	low
Preview:	6."..-.H

C:\Users\user\AppData\Roaming\HHyKJahmIz.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\file1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	756224
Entropy (8bit):	7.493608714130465
Encrypted:	false
SSDEEP:	12288:S42kl8+drZTnwWp/OdrFYU+8hs3pVo1f9majwN9DLHvBYWSsVWSy:SY8+drZrp2d6P3pVo1vydrvBYeV9
MD5:	07C82C84BAEC92953A270419C72D7F10
SHA1:	DB68FCB828195BC4556E8A4725BA1BF5057A7C56
SHA-256:	074EE7EF8958EA94C8E5B35D87DAE1B8CFBA9FAF46FB15D61C740FBFD600D758
SHA-512:	C70D0AE16A4BDF285DF963B3E80A0737DD7AD9D5B5A82EFFCBA5CF274E1CC96C3B2607D1AFE26AB8E86788C0FA5E7AE903743D70EDDA7F2DFE8EA8DCCEFE5F2F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m..`..............0................. ........@.. ....................................@.....................................O...................................`................................................ ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......D...4)..........x,...p............................................r...p}......}.....(.......(.......0............{....o....r[..p(....-\.{....o....r[..p(....-E.{....o....r[..p(....-..{....o....r[..p(....-..{....o....r[..p(....+....,..r]..p(....&+....(..........0..+.........,..{.......+....,...{....o........(.......0..N.............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.799622098272767
TrID:	Visual Basic Script (13500/0) 87.10% Disk Image (Macintosh), GPT (2000/0) 12.90%
File name:	Invoice#06-11-2021_PDF.vbs
File size:	2064477
MD5:	fcc6014f7ee0539aead5f38b4fe5245e
SHA1:	2f006d44ad82ca71319a5bf615677016ff7e918b
SHA256:	699d670809bccdbbdb2ae85d80be86d6fd00586c56e0375df34527d4ec6045cf
SHA512:	a9dd70d2b62ca41c9704379d57011a71cb661e9d8260cce95226f7dc357a91b59f3f99f6cd6d2d6563aaaa05cb84cf3c0284e3e1de72001eb9d6ab816e4fe208
SSDEEP:	24576:Xb14lK6ARrnCSZv3nc/4Y6FmALwmZz2nI/lks167U29/nwGNEaRr8I+TaCinTtKl:HrFm0wfIdkv7KGtmwkDtKW
File Content Preview:	on error resume next..Dim oJKUEaQXRjwWohJKfxRBprCcdayyKzcHoIONamdeSvgNYPTakLyerbyxGiqdcSNSHohfTwksTmitKpDOGYNzAxPNKQGsvzCziOGjhoGobFLFsEmRfcXDFNSJYUVCqsxTkjLwiTgSRZYumKUFdoMTcyuUwwKMSDxjIrUJsqjLvFlfpXWOAQYBfermorAlITzObplvqKMnFBXW..'MOeYawMCewDezhUBqxCcFX

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/12/21-08:09:51.251566	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49731	11940	192.168.2.3	191.96.25.26
06/12/21-08:09:57.374510	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49735	11940	192.168.2.3	191.96.25.26
06/12/21-08:10:03.567163	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49742	11940	192.168.2.3	191.96.25.26
06/12/21-08:10:09.685092	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	11940	192.168.2.3	191.96.25.26
06/12/21-08:10:20.008499	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49747	11940	192.168.2.3	191.96.25.26

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 12, 2021 08:08:54.517092943 CEST	49723	11940	192.168.2.3	52.39.28.134
Jun 12, 2021 08:08:57.526808977 CEST	49723	11940	192.168.2.3	52.39.28.134
Jun 12, 2021 08:09:03.624458075 CEST	49723	11940	192.168.2.3	52.39.28.134
Jun 12, 2021 08:09:15.772313118 CEST	49729	11940	192.168.2.3	52.39.28.134
Jun 12, 2021 08:09:18.797601938 CEST	49729	11940	192.168.2.3	52.39.28.134
Jun 12, 2021 08:09:24.798130989 CEST	49729	11940	192.168.2.3	52.39.28.134
Jun 12, 2021 08:09:34.077712059 CEST	49730	11940	192.168.2.3	52.39.28.134
Jun 12, 2021 08:09:37.080526114 CEST	49730	11940	192.168.2.3	52.39.28.134
Jun 12, 2021 08:09:43.080950022 CEST	49730	11940	192.168.2.3	52.39.28.134
Jun 12, 2021 08:09:50.911637068 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:51.090446949 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:51.090775967 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:51.251565933 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:51.443285942 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:51.443367958 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:51.676435947 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:51.676532984 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:51.856012106 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:51.856105089 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.085388899 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.085504055 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.319720984 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.319824934 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.320794106 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.320816040 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.320833921 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.320849895 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.320895910 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.320954084 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.499878883 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.499907017 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.499921083 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.499936104 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.499950886 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.499965906 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.500056982 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.500143051 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.500155926 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.500160933 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.500231028 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.678024054 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678085089 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678123951 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678163052 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678204060 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678251028 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678263903 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.678293943 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678298950 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.678333044 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678337097 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.678373098 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678385019 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.678411961 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678421974 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.678450108 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678488970 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678525925 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678540945 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.678570986 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.678574085 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678617001 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678653955 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.678714991 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.856555939 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856616020 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856647968 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856678009 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856718063 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856735945 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.856758118 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856790066 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.856796980 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856812954 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.856847048 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856852055 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.856892109 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856904030 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.856930971 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856941938 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.856971979 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.856981993 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.857012033 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.857017994 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.857049942 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.857060909 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.857089043 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.857101917 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.857126951 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.857137918 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.857177973 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.857183933 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.857223988 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.857228041 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.857261896 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.857274055 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.857301950 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.857312918 CEST	49731	11940	192.168.2.3	191.96.25.26
Jun 12, 2021 08:09:52.857343912 CEST	11940	49731	191.96.25.26	192.168.2.3
Jun 12, 2021 08:09:52.857355118 CEST	49731	11940	192.168.2.3	191.96.25.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 12, 2021 08:08:01.074426889 CEST	56961	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:01.136773109 CEST	53	56961	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:02.388601065 CEST	59353	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:02.440125942 CEST	53	59353	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:03.754650116 CEST	52238	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:03.808229923 CEST	53	52238	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:05.060157061 CEST	49873	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:05.110476017 CEST	53	49873	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:06.462075949 CEST	53196	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:06.520953894 CEST	53	53196	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:07.770997047 CEST	56777	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:07.826273918 CEST	53	56777	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:09.045250893 CEST	58643	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:09.096327066 CEST	53	58643	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:10.177845955 CEST	60985	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:10.228283882 CEST	53	60985	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:11.472265959 CEST	50200	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:11.524274111 CEST	53	50200	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:12.718384027 CEST	51281	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:12.771251917 CEST	53	51281	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:14.064028025 CEST	49199	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:14.118029118 CEST	53	49199	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:15.772988081 CEST	50620	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:15.832031012 CEST	53	50620	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:16.893745899 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:16.948960066 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:18.108439922 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:18.161818027 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:19.307070971 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:19.357834101 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:20.863699913 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:20.913671970 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:24.887376070 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:24.890654087 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:24.947530031 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:24.953819036 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:25.409041882 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:25.470307112 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:25.595859051 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:25.659822941 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:28.110452890 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:28.172091007 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:28.403188944 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:28.467664003 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:28.884452105 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:28.978724003 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:31.299772024 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:31.324022055 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:31.359038115 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:31.384054899 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:38.726635933 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:38.787091017 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:44.617669106 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:44.679912090 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 12, 2021 08:08:54.326776028 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:08:54.503034115 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 12, 2021 08:09:09.557229996 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:09:09.574312925 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:09:09.575066090 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:09:09.607495070 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 12, 2021 08:09:09.624795914 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 12, 2021 08:09:09.633641005 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 12, 2021 08:09:09.961182117 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:09:10.023971081 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 12, 2021 08:09:15.375874996 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:09:15.551716089 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 12, 2021 08:09:33.977591038 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:09:34.038955927 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 12, 2021 08:09:54.043296099 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:09:54.111274958 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 12, 2021 08:09:57.715130091 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:09:57.793838978 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 12, 2021 08:10:02.387377977 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 12, 2021 08:10:02.450416088 CEST	53	50713	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 12, 2021 08:08:28.403188944 CEST	192.168.2.3	8.8.8.8	0xae51	Standard query (0)	clientconfig.passport.net	A (IP address)	IN (0x0001)
Jun 12, 2021 08:08:54.326776028 CEST	192.168.2.3	8.8.8.8	0xdd02	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Jun 12, 2021 08:09:15.375874996 CEST	192.168.2.3	8.8.8.8	0xc79a	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Jun 12, 2021 08:09:33.977591038 CEST	192.168.2.3	8.8.8.8	0x2ccc	Standard query (0)	sys2021.linkpc.net	A (IP address)	IN (0x0001)
Jun 12, 2021 08:09:57.715130091 CEST	192.168.2.3	8.8.8.8	0xb4ee	Standard query (0)	mail.jetport-aero.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 12, 2021 08:08:25.470307112 CEST	8.8.8.8	192.168.2.3	0x5e14	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jun 12, 2021 08:08:28.467664003 CEST	8.8.8.8	192.168.2.3	0xae51	No error (0)	clientconfig.passport.net	authgfx.msa.akadns6.net		CNAME (Canonical name)	IN (0x0001)
Jun 12, 2021 08:08:54.503034115 CEST	8.8.8.8	192.168.2.3	0xdd02	No error (0)	sys2021.linkpc.net		52.39.28.134	A (IP address)	IN (0x0001)
Jun 12, 2021 08:09:15.551716089 CEST	8.8.8.8	192.168.2.3	0xc79a	No error (0)	sys2021.linkpc.net		52.39.28.134	A (IP address)	IN (0x0001)
Jun 12, 2021 08:09:34.038955927 CEST	8.8.8.8	192.168.2.3	0x2ccc	No error (0)	sys2021.linkpc.net		52.39.28.134	A (IP address)	IN (0x0001)
Jun 12, 2021 08:09:57.793838978 CEST	8.8.8.8	192.168.2.3	0xb4ee	No error (0)	mail.jetport-aero.com	jetport-aero.com		CNAME (Canonical name)	IN (0x0001)
Jun 12, 2021 08:09:57.793838978 CEST	8.8.8.8	192.168.2.3	0xb4ee	No error (0)	jetport-aero.com		217.182.175.206	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jun 12, 2021 08:09:58.023027897 CEST	587	49736	217.182.175.206	192.168.2.3	220-ns3819423.ip-217-182-175.eu ESMTP Exim 4.93 #2 Sat, 12 Jun 2021 11:39:58 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 12, 2021 08:09:58.027066946 CEST	49736	587	192.168.2.3	217.182.175.206	EHLO 639509
Jun 12, 2021 08:09:58.078576088 CEST	587	49736	217.182.175.206	192.168.2.3	250-ns3819423.ip-217-182-175.eu Hello 639509 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jun 12, 2021 08:09:58.079933882 CEST	49736	587	192.168.2.3	217.182.175.206	STARTTLS
Jun 12, 2021 08:09:58.133795977 CEST	587	49736	217.182.175.206	192.168.2.3	220 TLS go ahead
Jun 12, 2021 08:09:58.883198977 CEST	587	49736	217.182.175.206	192.168.2.3	421 Lost incoming connection
Jun 12, 2021 08:10:14.266299009 CEST	587	49744	217.182.175.206	192.168.2.3	220-ns3819423.ip-217-182-175.eu ESMTP Exim 4.93 #2 Sat, 12 Jun 2021 11:40:14 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 12, 2021 08:10:14.267148972 CEST	49744	587	192.168.2.3	217.182.175.206	EHLO 639509
Jun 12, 2021 08:10:14.320889950 CEST	587	49744	217.182.175.206	192.168.2.3	250-ns3819423.ip-217-182-175.eu Hello 639509 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jun 12, 2021 08:10:14.323684931 CEST	49744	587	192.168.2.3	217.182.175.206	STARTTLS
Jun 12, 2021 08:10:14.379235983 CEST	587	49744	217.182.175.206	192.168.2.3	220 TLS go ahead
Jun 12, 2021 08:10:17.940721035 CEST	587	49744	217.182.175.206	192.168.2.3	421 ns3819423.ip-217-182-175.eu lost input connection
Jun 12, 2021 08:10:18.012880087 CEST	587	49745	217.182.175.206	192.168.2.3	220-ns3819423.ip-217-182-175.eu ESMTP Exim 4.93 #2 Sat, 12 Jun 2021 11:40:18 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 12, 2021 08:10:18.013842106 CEST	49745	587	192.168.2.3	217.182.175.206	EHLO 639509
Jun 12, 2021 08:10:18.072870970 CEST	587	49745	217.182.175.206	192.168.2.3	250-ns3819423.ip-217-182-175.eu Hello 639509 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jun 12, 2021 08:10:18.073750973 CEST	49745	587	192.168.2.3	217.182.175.206	STARTTLS
Jun 12, 2021 08:10:18.127690077 CEST	587	49745	217.182.175.206	192.168.2.3	220 TLS go ahead
Jun 12, 2021 08:10:18.884313107 CEST	587	49745	217.182.175.206	192.168.2.3	421 ns3819423.ip-217-182-175.eu lost input connection
Jun 12, 2021 08:10:18.944071054 CEST	587	49746	217.182.175.206	192.168.2.3	220-ns3819423.ip-217-182-175.eu ESMTP Exim 4.93 #2 Sat, 12 Jun 2021 11:40:18 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jun 12, 2021 08:10:18.944447041 CEST	49746	587	192.168.2.3	217.182.175.206	EHLO 639509
Jun 12, 2021 08:10:18.995879889 CEST	587	49746	217.182.175.206	192.168.2.3	250-ns3819423.ip-217-182-175.eu Hello 639509 [84.17.52.18] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jun 12, 2021 08:10:18.996215105 CEST	49746	587	192.168.2.3	217.182.175.206	STARTTLS
Jun 12, 2021 08:10:19.050832033 CEST	587	49746	217.182.175.206	192.168.2.3	220 TLS go ahead

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 4804 Parent PID: 3388

General

Start time:	08:08:06
Start date:	12/06/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Invoice#06-11-2021_PDF.vbs'
Imagebase:	0x7ff679cd0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: file1.exe PID: 5784 Parent PID: 4804

General

Start time:	08:08:10
Start date:	12/06/2021
Path:	C:\Users\user\AppData\Local\Temp\file1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\file1.exe'
Imagebase:	0x5d0000
File size:	756224 bytes
MD5 hash:	07C82C84BAEC92953A270419C72D7F10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.297937965.0000000003F51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000001.00000002.307230936.000000000D351000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 2name.exe PID: 5828 Parent PID: 4804

General

Start time:	08:08:10
Start date:	12/06/2021
Path:	C:\Users\user\AppData\Local\Temp\2name.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\2name.exe'
Imagebase:	0x190000
File size:	726016 bytes
MD5 hash:	CF4CD927CCC626FB016D0E91CF6BD456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.311010210.000000000CDE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.294907318.00000000038B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.294907318.00000000038B1000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Analysis Process: 2name.exe PID: 5004 Parent PID: 5828

General

Start time:	08:08:47
Start date:	12/06/2021
Path:	C:\Users\user\AppData\Local\Temp\2name.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xa30000
File size:	726016 bytes
MD5 hash:	CF4CD927CCC626FB016D0E91CF6BD456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.468518858.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.477741518.0000000003301000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.288308557.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000000.288308557.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exe PID: 5412 Parent PID: 5784

General

Start time:	08:08:48
Start date:	12/06/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HHyKJahmIz' /XML 'C:\Users\user\AppData\Local\Temp\tmpC46.tmp'
Imagebase:	0x930000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5076 Parent PID: 5412

General

Start time:	08:08:49
Start date:	12/06/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: file1.exe PID: 4076 Parent PID: 5784

General

Start time:	08:08:49
Start date:	12/06/2021
Path:	C:\Users\user\AppData\Local\Temp\file1.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xc40000
File size:	756224 bytes
MD5 hash:	07C82C84BAEC92953A270419C72D7F10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.479174515.0000000004334000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.291952352.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000002.468642288.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.479905732.0000000005680000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.479905732.0000000005680000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000015.00000000.292645242.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.480599769.0000000005C00000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Invoice#06-11-2021_PDF.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

Stealing of Sensitive Information:

Remote Access Functionality:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Code Manipulations

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre