Play interactive tour

Edit tour

Windows Analysis Report Inv-04_PDF.vbs

Overview

General Information

Sample Name:	Inv-04_PDF.vbs
Analysis ID:	452070
MD5:	b6a05c3a37dde3db4a8005dfaeda9e97
SHA1:	c0b64b85e13865a76136ce2d5674ebca53246566
SHA256:	1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1
Tags:	vbs
Infos:
Most interesting Screenshot:

Detection

Nanocore AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: NanoCore

VBScript performs obfuscated calls to suspicious functions

Yara detected AgentTesla

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Creates an undocumented autostart registry key

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 2540 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

file1.exe (PID: 4900 cmdline: 'C:\Users\user\AppData\Local\Temp\file1.exe' MD5: 672E9FDC80F39F27F98A048B9F51AEA0)

InstallUtil.exe (PID: 5808 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

file2.exe (PID: 6012 cmdline: 'C:\Users\user\AppData\Local\Temp\file2.exe' MD5: B564A2BAE72F01F3E3FB726184FED4C9)

InstallUtil.exe (PID: 4072 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

InstallUtil.exe (PID: 5416 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

dhcpmon.exe (PID: 2872 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)

conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Inv-04_PDF.vbs	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x6f914:$: VFZxUUFBT 0x18da09:$: UVnFRQUFN

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f15:$a: NanoCore 0x42f6e:$a: NanoCore 0x42fab:$a: NanoCore 0x43024:$a: NanoCore 0x566cf:$a: NanoCore 0x566e4:$a: NanoCore 0x56719:$a: NanoCore 0x6f193:$a: NanoCore 0x6f1a8:$a: NanoCore 0x6f1dd:$a: NanoCore 0x42f77:$b: ClientPlugin 0x42fb4:$b: ClientPlugin 0x438b2:$b: ClientPlugin 0x438bf:$b: ClientPlugin 0x5648b:$b: ClientPlugin 0x564a6:$b: ClientPlugin 0x564d6:$b: ClientPlugin 0x566ed:$b: ClientPlugin 0x56722:$b: ClientPlugin 0x6ef4f:$b: ClientPlugin 0x6ef6a:$b: ClientPlugin
00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x58b75:$x1: NanoCore.ClientPluginHost 0x58bb2:$x2: IClientNetworkHost 0x5c6e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x588dd:$a: NanoCore 0x588ed:$a: NanoCore 0x58b21:$a: NanoCore 0x58b35:$a: NanoCore 0x58b75:$a: NanoCore 0x5893c:$b: ClientPlugin 0x58b3e:$b: ClientPlugin 0x58b7e:$b: ClientPlugin 0x58a63:$c: ProjectData 0x5946a:$d: DESCrypto 0x5b01f:$i: get_Connected 0x597a0:$j: #=q 0x597d0:$j: #=q 0x597ec:$j: #=q 0x5981c:$j: #=q 0x59838:$j: #=q 0x59854:$j: #=q 0x59884:$j: #=q 0x598a0:$j: #=q 0x598e4:$j: #=q 0x59900:$j: #=q
00000000.00000003.239940723.0000015609951000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x19cebe:$: UVnFRQUFN
00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d2d:$x1: NanoCore.ClientPluginHost 0x10d6a:$x2: IClientNetworkHost 0x1489d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a95:$a: NanoCore 0x10aa5:$a: NanoCore 0x10cd9:$a: NanoCore 0x10ced:$a: NanoCore 0x10d2d:$a: NanoCore 0x10af4:$b: ClientPlugin 0x10cf6:$b: ClientPlugin 0x10d36:$b: ClientPlugin 0x10c1b:$c: ProjectData 0x11622:$d: DESCrypto 0x18fee:$e: KeepAlive 0x16fdc:$g: LogClientMessage 0x131d7:$i: get_Connected 0x11958:$j: #=q 0x11988:$j: #=q 0x119a4:$j: #=q 0x119d4:$j: #=q 0x119f0:$j: #=q 0x11a0c:$j: #=q 0x11a3c:$j: #=q 0x11a58:$j: #=q
00000000.00000003.237652403.0000015608C41000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x47fea:$: UVnFRQUFN
00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x37ced:$x1: NanoCore.ClientPluginHost 0x5fd0d:$x1: NanoCore.ClientPluginHost 0x37d2a:$x2: IClientNetworkHost 0x5fd4a:$x2: IClientNetworkHost 0x3b85d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6387d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x37a55:$a: NanoCore 0x37a65:$a: NanoCore 0x37c99:$a: NanoCore 0x37cad:$a: NanoCore 0x37ced:$a: NanoCore 0x5fa75:$a: NanoCore 0x5fa85:$a: NanoCore 0x5fcb9:$a: NanoCore 0x5fccd:$a: NanoCore 0x5fd0d:$a: NanoCore 0x37ab4:$b: ClientPlugin 0x37cb6:$b: ClientPlugin 0x37cf6:$b: ClientPlugin 0x5fad4:$b: ClientPlugin 0x5fcd6:$b: ClientPlugin 0x5fd16:$b: ClientPlugin 0x37bdb:$c: ProjectData 0x5fbfb:$c: ProjectData 0x385e2:$d: DESCrypto 0x60602:$d: DESCrypto 0x3ffae:$e: KeepAlive
00000000.00000003.238803642.0000015608A41000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x15d24:$: VFZxUUFBT
00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x694ab:$a: NanoCore 0x69504:$a: NanoCore 0x69541:$a: NanoCore 0x695ba:$a: NanoCore 0x6950d:$b: ClientPlugin 0x6954a:$b: ClientPlugin 0x69e48:$b: ClientPlugin 0x69e55:$b: ClientPlugin 0x5f0fe:$e: KeepAlive 0x69995:$g: LogClientMessage 0x69915:$i: get_Connected 0x598e1:$j: #=q 0x59911:$j: #=q 0x5994d:$j: #=q 0x59975:$j: #=q 0x599a5:$j: #=q 0x599d5:$j: #=q 0x59a05:$j: #=q 0x59a35:$j: #=q 0x59a51:$j: #=q 0x59a81:$j: #=q
00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x188bd:$x1: NanoCore.ClientPluginHost 0x188fa:$x2: IClientNetworkHost 0x1c42d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x18625:$a: NanoCore 0x18635:$a: NanoCore 0x18869:$a: NanoCore 0x1887d:$a: NanoCore 0x188bd:$a: NanoCore 0x18684:$b: ClientPlugin 0x18886:$b: ClientPlugin 0x188c6:$b: ClientPlugin 0x187ab:$c: ProjectData 0x191b2:$d: DESCrypto 0x20b7e:$e: KeepAlive 0x1eb6c:$g: LogClientMessage 0x1ad67:$i: get_Connected 0x194e8:$j: #=q 0x19518:$j: #=q 0x19534:$j: #=q 0x19564:$j: #=q 0x19580:$j: #=q 0x1959c:$j: #=q 0x195cc:$j: #=q 0x195e8:$j: #=q
00000000.00000003.239481925.0000015609951000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x19b988:$: VFZxUUFBT
00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000003.248521779.0000015609010000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xe4090:$: VFZxUUFBT 0x568968:$: VFZxUUFBT 0x316106:$: UVnFRQUFN 0x7a4b52:$: UVnFRQUFN
Process Memory Space: InstallUtil.exe PID: 5808	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: InstallUtil.exe PID: 5808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file2.exe PID: 6012	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x330550:$x1: NanoCore.ClientPluginHost 0x3823bd:$x1: NanoCore.ClientPluginHost 0x4fe757:$x1: NanoCore.ClientPluginHost 0x51c1fe:$x1: NanoCore.ClientPluginHost 0x708a24:$x1: NanoCore.ClientPluginHost 0x3305b1:$x2: IClientNetworkHost 0x38241e:$x2: IClientNetworkHost 0x4fe7b8:$x2: IClientNetworkHost 0x51c25f:$x2: IClientNetworkHost 0x708a85:$x2: IClientNetworkHost 0x3359b6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x339875:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x387823:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x395795:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x503bbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x511b2f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x521664:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x52f5d6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x70de8a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x71bdfc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: file2.exe PID: 6012	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: file2.exe PID: 6012	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x330055:$a: NanoCore 0x330071:$a: NanoCore 0x3301cc:$a: NanoCore 0x3301db:$a: NanoCore 0x3304b4:$a: NanoCore 0x3304e0:$a: NanoCore 0x330550:$a: NanoCore 0x335edf:$a: NanoCore 0x335ef1:$a: NanoCore 0x335f2d:$a: NanoCore 0x381ec2:$a: NanoCore 0x381ede:$a: NanoCore 0x382039:$a: NanoCore 0x382048:$a: NanoCore 0x382321:$a: NanoCore 0x38234d:$a: NanoCore 0x3823bd:$a: NanoCore 0x391dff:$a: NanoCore 0x391e11:$a: NanoCore 0x391e4d:$a: NanoCore 0x4fe25c:$a: NanoCore
Process Memory Space: wscript.exe PID: 2540	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x48da49:$: VFZxUUFBT 0x6cffec:$: VFZxUUFBT 0xb2a10f:$: VFZxUUFBT 0xcfcf50:$: VFZxUUFBT 0xdcd78:$: UVnFRQUFN 0x3c5d01:$: UVnFRQUFN 0x5a6b01:$: UVnFRQUFN 0x7ee111:$: UVnFRQUFN
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.file1.exe.3ca7650.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.file1.exe.3ca7650.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.file2.exe.4114b60.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.file2.exe.4114b60.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.2.file2.exe.4114b60.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.file2.exe.4114b60.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
24.2.InstallUtil.exe.3d24595.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c48:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c75:$x2: IClientNetworkHost
24.2.InstallUtil.exe.3d24595.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c48:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d23:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c62:$s5: IClientLoggingHost
24.2.InstallUtil.exe.3d24595.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.file2.exe.34379e8.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.file2.exe.34379e8.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0xe3b7:$s5: IClientLoggingHost
5.2.file2.exe.34379e8.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q 0xf0fc:$j: #=q 0xf118:$j: #=q
24.2.InstallUtil.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
24.2.InstallUtil.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
24.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.InstallUtil.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
24.2.InstallUtil.exe.3d1ff6c.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
24.2.InstallUtil.exe.3d1ff6c.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
24.2.InstallUtil.exe.3d1ff6c.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.file2.exe.34379e8.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.file2.exe.34379e8.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x101b7:$s5: IClientLoggingHost
5.2.file2.exe.34379e8.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q 0x10efc:$j: #=q 0x10f18:$j: #=q
5.2.file2.exe.413cb80.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.file2.exe.413cb80.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
5.2.file2.exe.413cb80.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.file2.exe.413cb80.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.file1.exe.39c7c38.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.file1.exe.39c7c38.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.file2.exe.4114b60.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x381ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x381ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3bd1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.file2.exe.4114b60.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x37f25:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x381ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x397e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x397da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x3a68b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x40442:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x381d7:$s5: IClientLoggingHost
5.2.file2.exe.4114b60.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.file2.exe.4114b60.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x37f15:$a: NanoCore 0x37f25:$a: NanoCore 0x38159:$a: NanoCore 0x3816d:$a: NanoCore 0x381ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x37f74:$b: ClientPlugin 0x38176:$b: ClientPlugin 0x381b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x3809b:$c: ProjectData 0x10a82:$d: DESCrypto 0x38aa2:$d: DESCrypto 0x1844e:$e: KeepAlive
4.2.file1.exe.3a3fc58.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.file1.exe.3a3fc58.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.file1.exe.3cf7670.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.file1.exe.3cf7670.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.3.wscript.exe.15609a23410.3.unpack	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xc8cae:$: UVnFRQUFN
5.2.file2.exe.413cb80.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.file2.exe.413cb80.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.2.file2.exe.413cb80.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.file2.exe.413cb80.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
5.2.file2.exe.418cba0.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.file2.exe.418cba0.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
5.2.file2.exe.418cba0.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.file2.exe.418cba0.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
24.2.InstallUtil.exe.2d396cc.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
24.2.InstallUtil.exe.2d396cc.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
23.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
23.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.3.wscript.exe.15609a23410.0.unpack	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xc8cae:$: UVnFRQUFN
4.2.file1.exe.3ca7650.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.file1.exe.3ca7650.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.file1.exe.3c4ba30.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.file1.exe.3c4ba30.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28271:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x2829e:$x2: IClientNetworkHost
24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28271:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2934c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x2828b:$s5: IClientLoggingHost
24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.InstallUtil.exe.3d1b136.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0a7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0d4:$x2: IClientNetworkHost
24.2.InstallUtil.exe.3d1b136.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0a7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e182:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c1:$s5: IClientLoggingHost
24.2.InstallUtil.exe.3d1b136.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
24.2.InstallUtil.exe.3d1b136.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d05d:$a: NanoCore 0x2d072:$a: NanoCore 0x2d0a7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce19:$b: ClientPlugin 0x2ce34:$b: ClientPlugin
0.3.wscript.exe.15609a23410.2.unpack	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xc8cae:$: UVnFRQUFN
4.2.file1.exe.3cf7670.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.file1.exe.3cf7670.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
5.2.file2.exe.418cba0.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
5.2.file2.exe.418cba0.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
5.2.file2.exe.418cba0.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 62 entries

Sigma Overview

AV Detection:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud:

Sigma detected: NanoCore

Show sources

Source: File created

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\file2.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\file2.exe, ParentProcessId: 6012, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 4072

Stealing of Sensitive Information:

Sigma detected: NanoCore

Show sources

Source: File created

Remote Access Functionality:

Sigma detected: NanoCore

Show sources

Source: File created

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Metadefender: Detection: 25%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\file1.exe	ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\file2.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe	ReversingLabs: Detection: 57%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file2.exe PID: 6012, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Joe Sandbox ML: detected

Source: 24.2.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 23.2.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000016.00000000.413304012.0000000000362000.00000002.00020000.sdmp, InstallUtil.exe, 00000017.00000000.413907585.0000000000B32000.00000002.00020000.sdmp, InstallUtil.exe, 00000018.00000000.414470588.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr

Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: http://gKSfZA.com
Source: file1.exe, 00000004.00000003.252695976.0000000005AE7000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: file1.exe, 00000004.00000003.254663518.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig(
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: file1.exe, 00000004.00000003.255713488.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: file1.exe, 00000004.00000003.262045265.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersB
Source: file1.exe, 00000004.00000003.257384126.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersC
Source: file1.exe, 00000004.00000003.255745631.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersF
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: file1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: file1.exe, 00000004.00000003.255783808.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersZ
Source: file1.exe, 00000004.00000003.255996734.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: file1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersw
Source: file1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: file1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: file1.exe, 00000004.00000003.250853437.0000000005AEB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmp, file1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: file1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: file1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cni
Source: file1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt-p
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: file1.exe, 00000004.00000003.260733212.0000000005AE4000.00000004.00000001.sdmp, file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/I
Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fr-c
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com.
Source: file1.exe, 00000004.00000003.252450344.0000000005AE9000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: file1.exe, 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, InstallUtil.exe, 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: InstallUtil.exe, 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file2.exe PID: 6012, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.InstallUtil.exe.2d396cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: file2.exe PID: 6012, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: file2.exe PID: 6012, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large array initializations

Show sources

Source: 23.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCC1C2456u002d206Cu002d47B2u002dB640u002d7A9D0A18E16Bu007d/B899F0BCu002d2DBBu002d4D46u002dA39Eu002dC38AFE9A69B6.cs

Large array initialization: .cctor: array initializer size 12097

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 4_2_00BDC114	4_2_00BDC114
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 4_2_00BDE558	4_2_00BDE558
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 4_2_00BDE548	4_2_00BDE548
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_02DEC25C	5_2_02DEC25C
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_02DEE1D0	5_2_02DEE1D0
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_02DEE1C0	5_2_02DEE1C0
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_07DC9E90	5_2_07DC9E90
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_07DCC7A0	5_2_07DCC7A0
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_07DCCF2B	5_2_07DCCF2B
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_07DEF4B0	5_2_07DEF4B0
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_07DEA5FF	5_2_07DEA5FF
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_07DECD58	5_2_07DECD58
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_07DE3CF8	5_2_07DE3CF8
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_07DE84A1	5_2_07DE84A1
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_07DE9AD9	5_2_07DE9AD9
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 22_2_003620B0	22_2_003620B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 23_2_00B320B0	23_2_00B320B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 23_2_012FDAE8	23_2_012FDAE8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 23_2_05294042	23_2_05294042
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 23_2_052949A0	23_2_052949A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 23_2_052948AF	23_2_052948AF
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 24_2_009920B0	24_2_009920B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 24_2_013AE471	24_2_013AE471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 24_2_013AE480	24_2_013AE480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 24_2_013ABBD4	24_2_013ABBD4

Source: Inv-04_PDF.vbs

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Section loaded: msdart.dll

Jump to behavior

Source: Inv-04_PDF.vbs, type: SAMPLE	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wscript.exe.15609a23410.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 24.2.InstallUtil.exe.2d396cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.2d396cc.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.3.wscript.exe.15609a23410.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.wscript.exe.15609a23410.2.unpack, type: UNPACKEDPE	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.239940723.0000015609951000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.237652403.0000015608C41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.238803642.0000015608A41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.239481925.0000015609951000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.248521779.0000015609010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: file2.exe PID: 6012, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: file2.exe PID: 6012, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: wscript.exe PID: 2540, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889

Source: file1.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: file2.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Explorer64int.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Explorer64int.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 23.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 23.2.InstallUtil.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winVBS@13/11@0/0

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\file1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file1.exe.log

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{de7e01ad-963b-4e14-81aa-08dfb351f0fe}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_01

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\file1.exe

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs'

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file2.exe 'C:\Users\user\AppData\Local\Temp\file2.exe'
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file2.exe 'C:\Users\user\AppData\Local\Temp\file2.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\file1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Inv-04_PDF.vbs

Static file information: File size 2437367 > 1048576

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000016.00000000.413304012.0000000000362000.00000002.00020000.sdmp, InstallUtil.exe, 00000017.00000000.413907585.0000000000B32000.00000002.00020000.sdmp, InstallUtil.exe, 00000018.00000000.414470588.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\file1.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJFZrr0AAAAAAAAAAOAADgELATAAAOIMAABAAAAAAAAA3gE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\file1.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAH4SMoAAAAAAAAAAOAADgELATAAAHANAABAAAAAAAAADo8");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\file2.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\file1.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\file2.exe")

.NET source code contains potential unpacker

Show sources

Source: file1.exe.0.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs	.Net Code: SetException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: file1.exe.0.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs	.Net Code: RestartException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: file2.exe.0.dr, Hblvlabxuo.Objects/Initializer.cs	.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: file2.exe.0.dr, Hblvlabxuo.Objects/Initializer.cs	.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Explorer64int.exe.4.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs	.Net Code: SetException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Explorer64int.exe.4.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs	.Net Code: RestartException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Explorer64int.exe.5.dr, Hblvlabxuo.Objects/Initializer.cs	.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Explorer64int.exe.5.dr, Hblvlabxuo.Objects/Initializer.cs	.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs	.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.0.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs	.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs	.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 5.2.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs	.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: file1.exe.0.dr

Static PE information: 0xBDAE5991 [Tue Nov 4 09:46:57 2070 UTC]

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 4_2_003F311C push esi; retf	4_2_003F311F
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 4_2_003F2C0E push esi; retf	4_2_003F2C11
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 4_2_003F2A04 push esi; retf	4_2_003F2A75
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 4_2_003F30BC push esi; retf	4_2_003F30BF
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Code function: 4_2_003FF8E2 push edi; retf	4_2_003FF8E4
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_00A300D6 push edi; retf	5_2_00A300D8
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_00A230D9 push edi; ret	5_2_00A230E0
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Code function: 5_2_00A22BFC push edi; ret	5_2_00A22CAC
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 24_2_013AC078 push ds; retf	24_2_013AC0AE

Source: initial sample	Static PE information: section name: .text entropy: 7.26492487859
Source: initial sample	Static PE information: section name: .text entropy: 7.23635224737
Source: initial sample	Static PE information: section name: .text entropy: 7.26492487859
Source: initial sample	Static PE information: section name: .text entropy: 7.23635224737

Source: C:\Users\user\AppData\Local\Temp\file2.exe	File created: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\file2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to dropped file
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\file1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\file2.exe	File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\AppData\Local\Temp\file2.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: file1.exe, 00000004.00000002.417743269.0000000002969000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.420601026.00000000030E4000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Window / User API: threadDelayed 2267	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Window / User API: threadDelayed 2266	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 9555	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\file1.exe TID: 4440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe TID: 4724	Thread sleep count: 2266 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe TID: 4520	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5044	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1632	Thread sleep count: 9555 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1632	Thread sleep count: 280 > 30	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: file1.exe	Binary or memory string: M8x\7ksyfGUYaeYpqVSGUYKeYxvbXGUY1vMRKStDKMS3mPFdT4yjHN5hGpFeGUYyeYMVjPjKMU0ErquCaGUYxvMCIO74yjETzDCkEhlGPE\7WwknEMowjeYQUrEMowo8wApSIZRgR5h+S4QyjDDdFfxJUIZRgh5heSwQyjCDzA8lAhlGAHmG6ZrjKMP1yN/S+DonfE00er+IJvDK3\7PFTDKMNwJMsV3MWyZnwknZ8Z0Y1g9owrNdPpGa6fT010+hTXT
Source: file2.exe, 00000005.00000002.420601026.00000000030E4000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: wscript.exe, 00000000.00000002.257990768.000001560A1D0000.00000002.00000001.sdmp, InstallUtil.exe, 00000017.00000002.511625785.0000000005FF0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: file2.exe, 00000005.00000002.420601026.00000000030E4000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: file2.exe	Binary or memory string: tJq\7SeAVZ9CdklYhnZD0FlK1JPCK/Ky4CTqAtFjSUaTzks4iRboL+glpmqRqpHJJ4BX5ufUQBF5xBn0kCbziC7TcUxB4xZm01EsQeMUX6\7QRvQeAVZ1E/H0HgFWfTakngFefQg1ZB4BXn0jxfQeAV51FiEwRecT7dIAm8YjHN8BMEXnEBjawlCLziQnpCEnjFRXSCvyDwioupX4\7Ag8IpLaJwk8IpL6DlJ4AeX0p2BgsAPvkRXBwkCP7iMFgYLivO
Source: wscript.exe, 00000000.00000003.248521779.0000015609010000.00000004.00000001.sdmp, Inv-04_PDF.vbs	Binary or memory string: 'EOLypHIAnSmqeolydOzhWCdpdhWICknIGijkgiLBXqOvEuwkHGFsvkJBkWVHkzyCfekvFASuCyKgohkilmAvfuMVZhAKNEQXrLQaKAfHoKpxadMClnVyzCWkRPWXAIgyimodQJYkGtHUEPuwVxYaiRXpogIveIGgeqOnoilbOlrGvCfCUZBCjGQQPzokBdGymbqNAHHmMxLwZRtmAFaEGDwXaxYpuAalftTULRCNSPqmuTqxFCkvCBrieTnCiSsLWaRgxZbiDNmrNKcGGajsQfjeBkpsezezWfPUCKzgaBroOzVTqhvHizurrnfMjiEDjnUivIDwaDRPnuPBPWBwEWRWkXdPfnwrwoFaemXidzgeieEwXdxMgIzMWyxYeoRnHZTypoWczTTEpm
Source: file1.exe	Binary or memory string: AC8Gh8ncjVW8ES+lXz/eH2jq5V8hZXBn1lYqXCUWViabkycStWxK9znzr/04queVQFKc5F\7pTkWv3PxDHMQch6xN7EMSxIlCICPLWI0DaT3RAjXNUkvh0oR8eWKsxxjutJXyBzKdUQGfUWbk8D+ThRm7DRGRGwKcF1xq0oDHaFFP\7pAHnxG3IjO3NyZtqRBTjWG29nyKkh0VmCIEwU3Ie+4yk4ymTiU55WDy5wX64Bduey3W9+aNu5126/R3Q0cRNB
Source: file2.exe	Binary or memory string: U+XKS9ArVtnnzUafYpQHC6UZJAvSZXRjwvoEgCtxqSDZmCcz2uaCpK\7HKU1IDXAuoVzt21i5gynLwtCbkGIxIrdb/pFkxJXQMEoltVIQe/t2vXE739vJRnqposygCzd6Ap6JquBamchjgsvunjzvap/KeRmt\7Q8etkrjHvBmBD86JuvkYHosab5R5AlhnUbNwJwWgcNoTmbkUawCSeWfHA8HgFsh0P8e8W6jONDaoaQrp0H2bWKABs+cmjShhWibpo
Source: file2.exe, 00000005.00000002.420601026.00000000030E4000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: file1.exe	Binary or memory string: YXBSuKEXdBJx6Ct3mWvH/lebby0CmDdoJU5\74GX7VAlXfLcLwHr64XxNDAG3q2NUlEfuaGY/eXgMECJq/M86pIIYoZs6lre/eEZC3V9Sb5CUDr43nQEwxJhGfSc7Vdgc+8iEdM8u+\7zDl7//GQvhlhc+b4II1/btk6Ut3Ptvhk9eLtIi1F4q/gKFdEVmUmtavQswcs47E71N29Ruv9oXi5RcK2Gfqb0xZYFV4rFjPIdDcyG\7mYckC8ZMroPbGLxyq
Source: wscript.exe, 00000000.00000002.257990768.000001560A1D0000.00000002.00000001.sdmp, InstallUtil.exe, 00000017.00000002.511625785.0000000005FF0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.257990768.000001560A1D0000.00000002.00000001.sdmp, InstallUtil.exe, 00000017.00000002.511625785.0000000005FF0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.257990768.000001560A1D0000.00000002.00000001.sdmp, InstallUtil.exe, 00000017.00000002.511625785.0000000005FF0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: wscript.exe, 00000000.00000002.256836199.0000015609A58000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}xT

Source: C:\Users\user\AppData\Local\Temp\file1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\file1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: file1.exe.0.dr

Jump to dropped file

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: CE8008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: A34008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\file2.exe 'C:\Users\user\AppData\Local\Temp\file2.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to behavior

Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\file1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\file2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\file2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.2.file1.exe.3ca7650.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.39c7c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3a3fc58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3cf7670.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3ca7650.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3c4ba30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3cf7670.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.2.file1.exe.3ca7650.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.39c7c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3a3fc58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3cf7670.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3ca7650.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3c4ba30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3cf7670.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5808, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file2.exe PID: 6012, type: MEMORY

Source: Yara match	File source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5808, type: MEMORY

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: file2.exe, 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.2.file1.exe.3ca7650.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.39c7c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3a3fc58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3cf7670.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3ca7650.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3c4ba30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3cf7670.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, type: MEMORY

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 4.2.file1.exe.3ca7650.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.39c7c38.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3a3fc58.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3cf7670.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3ca7650.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3c4ba30.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.file1.exe.3cf7670.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5808, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file2.exe PID: 6012, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Process Injection212	Masquerading2	Input Capture11	Query Registry1	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	DLL Side-Loading1	Registry Run Keys / Startup Folder1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery311	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion131	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Virtualization/Sandbox Evasion131	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Scripting121	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	System Information Discovery113	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Timestomp1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	DLL Side-Loading1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\file1.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\file2.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	Metadefender		Browse
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\file1.exe	29%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\file1.exe	52%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Local\Temp\file2.exe	37%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\file2.exe	57%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe	37%	Metadefender		Browse
C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe	57%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
24.2.InstallUtil.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
23.2.InstallUtil.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com.	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp//	0%	URL Reputation	safe
http://gKSfZA.com	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.founder.com.cn/cnt-p	0%	Avira URL Cloud	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cni	0%	URL Reputation	safe
http://www.founder.com.cn/cni	0%	URL Reputation	safe
http://www.founder.com.cn/cni	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://www.founder.com.cn/cnd	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.carterandcone.comtig(	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/I	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/A	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/A	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/A	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.fontbureau.come.com	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.fontbureau.comm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersF	file1.exe, 00000004.00000003.255745631.0000000005B06000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://www.tiro.com.	file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersC	file1.exe, 00000004.00000003.257384126.0000000005B06000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersB	file1.exe, 00000004.00000003.262045265.0000000005B06000.00000004.00000001.sdmp	false		high
http://www.tiro.com	file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersZ	file1.exe, 00000004.00000003.255783808.0000000005B06000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersP	file1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	file1.exe, 00000004.00000003.260733212.0000000005AE4000.00000004.00000001.sdmp, file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersers	file1.exe, 00000004.00000003.255996734.0000000005B06000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp//	file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://gKSfZA.com	InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersw	file1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cnt-p	file1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%GETMozilla/5.0	InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.ascendercorp.com/typedesigners.html	file1.exe, 00000004.00000003.254663518.0000000005B06000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.com	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cni	file1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	file1.exe, 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, InstallUtil.exe, 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnd	file1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	file1.exe, 00000004.00000003.252695976.0000000005AE7000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://DynDns.comDynDNS	InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fonts.comc	file1.exe, 00000004.00000003.250853437.0000000005AEB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comn	file1.exe, 00000004.00000003.252450344.0000000005AE9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comtig(	file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.jiyu-kobo.co.jp/I	file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/A	file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.come.com	file1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmp, file1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://www.fontbureau.comm	file1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/fr-c	file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/a	file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp	false		unknown
http://www.fontbureau.com/designers/	file1.exe, 00000004.00000003.255713488.0000000005B06000.00000004.00000001.sdmp	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452070
Start date:	21.07.2021
Start time:	19:52:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Inv-04_PDF.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@13/11@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.5% (good quality ratio 0.3%) Quality average: 37.3% Quality standard deviation: 33.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 138 Number of non-executed functions: 5
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/452070/sample/Inv-04_PDF.vbs

Simulations

Behavior and APIs

Time	Type	Description
19:54:42	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
19:54:57	API Interceptor	166x Sleep call for process: InstallUtil.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41064
Entropy (8bit):	6.164873449128079
Encrypted:	false
SSDEEP:	384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
MD5:	EFEC8C379D165E3F33B536739AEE26A3
SHA1:	C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
SHA-256:	46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
SHA-512:	497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..\|J..........lm.......o......................................2~.....o.....r...p(....VrK..p(....s...........0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........................."..(.....{Q...-...}Q.....(+...(....(,....(+..."..(-.....(......(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	950
Entropy (8bit):	5.350971482944737
Encrypted:	false
SSDEEP:	24:MLiKNE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MeIH2HKXwYHKhQnoPtHoxHhAHKzva
MD5:	CEE81B7EB08EE82CFE49E47B81B50D1A
SHA1:	4746C7068BD50E3309BFFDBE8983B8F27D834DFD
SHA-256:	B9A90255691E7C9D3CCBD27D00FC514DDD6087446D8DB03335CEF1B5634CC460
SHA-512:	AF5865439412974FCB6B11E22CFFF1ACA0BEBF83CF398D6056CEEF93720AF0FBCB579858C39E6AA0D989680F2180F2CA181D7D12887604B420D0E1976B8AEA77
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file1.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\file1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1299
Entropy (8bit):	5.353835388147306
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
MD5:	D7428B0428DC5FA72A41122D265CFA0E
SHA1:	F485E2EC6F980F218063AF527724C088617B3B94
SHA-256:	C49B31FB28F5EC1B5A82D45DF4A0A88DBC26E468BA007D8E63C800BA69CC5FFC
SHA-512:	FD5BC965FD28DC219F2703726A34A7156D1B71B9199617136F936DD5DDBB2CA65175FBB4B761243635493D6CABE3069406B4D4473DEEB93FDCDA1F392345683B
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file2.exe.log Download File
Process:	C:\Users\user\AppData\Local\Temp\file2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1299
Entropy (8bit):	5.353835388147306
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
MD5:	D7428B0428DC5FA72A41122D265CFA0E
SHA1:	F485E2EC6F980F218063AF527724C088617B3B94
SHA-256:	C49B31FB28F5EC1B5A82D45DF4A0A88DBC26E468BA007D8E63C800BA69CC5FFC
SHA-512:	FD5BC965FD28DC219F2703726A34A7156D1B71B9199617136F936DD5DDBB2CA65175FBB4B761243635493D6CABE3069406B4D4473DEEB93FDCDA1F392345683B
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\InstallUtil.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\file2.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41064
Entropy (8bit):	6.164873449128079
Encrypted:	false
SSDEEP:	384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
MD5:	EFEC8C379D165E3F33B536739AEE26A3
SHA1:	C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
SHA-256:	46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
SHA-512:	497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..\|J..........lm.......o......................................2~.....o.....r...p(....VrK..p(....s...........0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........................."..(.....{Q...-...}Q.....(+...(....(,....(+..."..(-.....(......(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

C:\Users\user\AppData\Local\Temp\file1.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	861184
Entropy (8bit):	7.283904937853201
Encrypted:	false
SSDEEP:	24576:N+MOQW87bhQxtVUbJLy5yLlSKElPlHsQ2Ze:N+rQQxtVUREplD
MD5:	672E9FDC80F39F27F98A048B9F51AEA0
SHA1:	506479C1633363F4AC0276E59D6B66F648CF4A33
SHA-256:	A9497517888F5E6E725FA5AFD4FAED80EEC9F218438DBCCF2C9E6E1B37AA8ED1
SHA-512:	EB8BB241076CFBDA03DB01D20341CC73FD7A807CE33442528232941C89C2DA0007E0CEE339D82C27446C9310B00036D1816BE8E5F3A78EE85E37CDD4D9194E3C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 52%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y................0......@........... ... ....@.. ....................................@.....................................K.... ...<...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....<... ...>..................@..@.reloc.......`......."..............@..B........................H........1...-..........D_..J...........................................b.r...p}.....(.....(........0..B.........8&.....(....(.... ....(......(....(......X....?.....{.....o......^.{....o....9.....(....^(...........s....o....2(.....o........0..7........rI..p(....(..........&.r_..p~....o.......(.............................0..,........{....o....s....&.....o....(.....(...........................9.....{....9.....{....o......(........0...........s....}.....s....}.....s....

C:\Users\user\AppData\Local\Temp\file2.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	897536
Entropy (8bit):	7.255695547404168
Encrypted:	false
SSDEEP:	24576:m+MOQW87bhQxtVUDjTcBvz2OrL9drTKqwJ:m+rQQxtVUXTiV9drTKH
MD5:	B564A2BAE72F01F3E3FB726184FED4C9
SHA1:	C64494A88D69FE8974E5742841D1D12FC07C0D6E
SHA-256:	03707D7AD90DB602966AE1E86703672C77D0EC94BD125CD026846F188F893BE1
SHA-512:	7779A5E4F7B7136C72034667C8A0E7C13CEC1C2A02CCDDE65BB936609333B86B1E7D5C3A7AE6CBB46462244DD134A3DAF2BD9AF6A6D43E8CED33F4F1A52D5DA3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 57%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....H...............0..p...@........... ........@.. ....................................@.....................................K........<........................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc....<.......>...r..............@..@.reloc..............................@..B........................H.......\|7.../..........8g...'............................................r...p}....8.....(....8.....(....8.....0..s.......8'...8Z...8D......X..8J....{.....o....8.......8.... ....(....8......(....(....8......(....(....8........?....8......8.....(....8.....{....o....9....8.....r(...........s....o....8.......2(.....o........0..Y.......8........rE..p(....(......8.........&8.....(......8.....r[..p~....o......8........8................%./.....0..F.........{....o....8....s..

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
File Type:	International EBCDIC text, with CR line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Cstn:CM
MD5:	C627D2AE1FEA9AB62F2803C72BF9F7BD
SHA1:	E5C1399020CC7A6276FC7F8530FBE4FC92F457CB
SHA-256:	DE3317A2EE872B9384C3CE9807FC57532D2B9B15098C8F0457B8D3BDF4A97A46
SHA-512:	1A47849B4D3EF2F9ED81DFB1802174B9AAEA72ECE9D06E6049BA8F6ED9BC54EFE5E77CB46A84BA7F51139A1FC555BB1FEAB56A417F3E7731FFCF0153E09436FD
Malicious:	true
Reputation:	unknown
Preview:	....L.H

C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\file2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	897536
Entropy (8bit):	7.255695547404168
Encrypted:	false
SSDEEP:	24576:m+MOQW87bhQxtVUDjTcBvz2OrL9drTKqwJ:m+rQQxtVUXTiV9drTKH
MD5:	B564A2BAE72F01F3E3FB726184FED4C9
SHA1:	C64494A88D69FE8974E5742841D1D12FC07C0D6E
SHA-256:	03707D7AD90DB602966AE1E86703672C77D0EC94BD125CD026846F188F893BE1
SHA-512:	7779A5E4F7B7136C72034667C8A0E7C13CEC1C2A02CCDDE65BB936609333B86B1E7D5C3A7AE6CBB46462244DD134A3DAF2BD9AF6A6D43E8CED33F4F1A52D5DA3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 37%, Browse Antivirus: ReversingLabs, Detection: 57%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....H...............0..p...@........... ........@.. ....................................@.....................................K........<........................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc....<.......>...r..............@..@.reloc..............................@..B........................H.......\|7.../..........8g...'............................................r...p}....8.....(....8.....(....8.....0..s.......8'...8Z...8D......X..8J....{.....o....8.......8.... ....(....8......(....(....8......(....(....8........?....8......8.....(....8.....{....o....9....8.....r(...........s....o....8.......2(.....o........0..Y.......8........rE..p(....(......8.........&8.....(......8.....r[..p~....o......8........8................%./.....0..F.........{....o....8....s..

\Device\ConDrv Download File
Process:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2017
Entropy (8bit):	4.663189584482275
Encrypted:	false
SSDEEP:	48:zK4Qu4D4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKJDEcTytNe3Wo3uQVBIe+5
MD5:	9C305D95E7DA8FCA9651F7F426BB25BC
SHA1:	FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC
SHA-256:	444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE
SHA-512:	F2829518AE0F6DD35C1DE1175FC8BE3E52EDCAFAD0B2455AC593F5E5D4BD480B014F52C3AE24E742B914685513BE5DF862373E75C45BB7908C775D7E2E404DB3
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) .NET Framework Installation utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u \| /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.891219578404424
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	Inv-04_PDF.vbs
File size:	2437367
MD5:	b6a05c3a37dde3db4a8005dfaeda9e97
SHA1:	c0b64b85e13865a76136ce2d5674ebca53246566
SHA256:	1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1
SHA512:	730b73dc411f25c3c79d1fe6272c797a076ab85da48162379ad32ad36c40806b2a13cf0671ab3e646c45a34fbeaf5f95091e2c7bfcfb10a889b6a17ef2de0e16
SSDEEP:	24576:Rqf8Lpx7oAbNFypaURT3UuL42eUyp2CLHiLG8b5/tXC5I3ASYovcOpiWmSi3D0IA:0kfpg5/byl8b5lGIQY0Opg0IDhO
File Content Preview:	on error resume next..Dim HLNFgkxYOKrKFdAlKIeEZwBFfGOyXZsoEfGAqmFqVRmFHSnSYpmcRNCLKIaaVyBoRCFaXAuYCojHJwxMTvahnQXqcvqiLfUWPynEMNvYuOZcevBNKNHaYUBAfOxbKLMXTMsLItAFACmYquMhucYyXuxvwmZxPTNiCCJRCpFRNBZWicJkBPhinNzYOxOVTCqgoDWokveEWHlW..'VbMUcpvAmfvoCkCFajxKLs

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 2540 Parent PID: 3472

General

Start time:	19:53:14
Start date:	21/07/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs'
Imagebase:	0x7ff78a940000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.239940723.0000015609951000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.237652403.0000015608C41000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.238803642.0000015608A41000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.239481925.0000015609951000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.248521779.0000015609010000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: file1.exe PID: 4900 Parent PID: 2540

General

Start time:	19:53:19
Start date:	21/07/2021
Path:	C:\Users\user\AppData\Local\Temp\file1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\file1.exe'
Imagebase:	0x3f0000
File size:	861184 bytes
MD5 hash:	672E9FDC80F39F27F98A048B9F51AEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, Metadefender, Browse Detection: 52%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: file2.exe PID: 6012 Parent PID: 2540

General

Start time:	19:53:20
Start date:	21/07/2021
Path:	C:\Users\user\AppData\Local\Temp\file2.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Local\Temp\file2.exe'
Imagebase:	0xa20000
File size:	897536 bytes
MD5 hash:	B564A2BAE72F01F3E3FB726184FED4C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, Author: Florian Roth Rule: NanoCore, Description: unknown, Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, Metadefender, Browse Detection: 57%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: InstallUtil.exe PID: 4072 Parent PID: 6012

General

Start time:	19:54:37
Start date:	21/07/2021
Path:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Imagebase:	0x360000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: InstallUtil.exe PID: 5808 Parent PID: 4900

General

Start time:	19:54:37
Start date:	21/07/2021
Path:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Imagebase:	0xb30000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: InstallUtil.exe PID: 5416 Parent PID: 6012

General

Start time:	19:54:38
Start date:	21/07/2021
Path:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Imagebase:	0x990000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	moderate

Chronological Activities

Analysis Process: dhcpmon.exe PID: 2872 Parent PID: 3472

General

Start time:	19:54:50
Start date:	21/07/2021
Path:	C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Imagebase:	0x6b0000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5208 Parent PID: 2872

General

Start time:	19:54:51
Start date:	21/07/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: file1.exe PID: 4900 Parent PID: 2540 file1.exeCOMMON

Executed Functions

Function 00BD9670, Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BD98B6

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7457a412057f7ccc721b256dd867d888e172eadca4494b7a3c43353fba9ba6b2
Instruction ID: 3006e150c1d8214d7599218b1aed77f81b922c035680dec106c7a60a5d4ee3c8
Opcode Fuzzy Hash: 7457a412057f7ccc721b256dd867d888e172eadca4494b7a3c43353fba9ba6b2
Instruction Fuzzy Hash: 327124B0A10B058FDB24DF2AD04179AFBF1FF88704F00896AD45AD7B50EB75E8058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00BDDC44, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00BDFDEA

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0e5b8f35ce50783eef7916a59d04f884cb834f9329021f7f2c81898b7b9fce3c
Instruction ID: b9520870a3d7e2403255e67b49fe4205274c23a5660670e4d1e3fd39aedc5071
Opcode Fuzzy Hash: 0e5b8f35ce50783eef7916a59d04f884cb834f9329021f7f2c81898b7b9fce3c
Instruction Fuzzy Hash: D451AEB1D042099FDB14CFA9C884ADEFBF5FF48314F24816AE819AB211D7749945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD38A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00BD5401

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 323822f237718fb73fd9cba5de682f5d3993f014cee7f23e1b9c895a288d685a
Instruction ID: e3b280d2d8a94b4d5653085be53d057d06a0b0c24057f348efbebaa824918ff4
Opcode Fuzzy Hash: 323822f237718fb73fd9cba5de682f5d3993f014cee7f23e1b9c895a288d685a
Instruction Fuzzy Hash: DD41EEB1C00618CBDB24CFA9C884B9EBBB1BF49308F20846AD509AB255DB756945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD534C, Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00BD5401

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: af84100ef41bcbcb14b4c31d7c836070af3a480b0e394b4228e353cbd585452b
Instruction ID: 5de940186f846f38c71877ff252e3c328abdb4163d3a12fb5c3f2ec998397425
Opcode Fuzzy Hash: af84100ef41bcbcb14b4c31d7c836070af3a480b0e394b4228e353cbd585452b
Instruction Fuzzy Hash: 0841DFB1C00618CBDB24CFA9C884BDEBBF5BF49308F20846AD508AB255DB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00BD9610, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BDB85E,?,?,?,?,?), ref: 00BDB91F

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 944ced411e67640ac369cc10aa137d329f3a4e2b315d1a4b102649431a300c99
Instruction ID: af1af4bdbca5dc95678701b8c0d5e4cd54d660e75c27d296e07203f80826597d
Opcode Fuzzy Hash: 944ced411e67640ac369cc10aa137d329f3a4e2b315d1a4b102649431a300c99
Instruction Fuzzy Hash: F02105B5900248EFDB10CFA9D484AEEFBF8EB48324F14805AE919B7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BDB890, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00BDB85E,?,?,?,?,?), ref: 00BDB91F

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 022de85ae4b275c4df0f385e87241f879d1c60e777e467d99adcba3e4783d555
Instruction ID: 19b8a3b9ffeb501c36ed34b3da6d2c480a05d2f9332c59ec1a67fbd7a5bd7e6b
Opcode Fuzzy Hash: 022de85ae4b275c4df0f385e87241f879d1c60e777e467d99adcba3e4783d555
Instruction Fuzzy Hash: 762105B5900249EFDB10CFAAD484ADEFBF4EB48324F14801AE954A3310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BD9288, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00BD9931,00000800,00000000,00000000), ref: 00BD9B42

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c95ad65631ac09b17a4e91c233390ca2db0ab23769330ebdb20dd24c59105d5b
Instruction ID: fe60073abb8f8eb3aa6286a6f987f45b151ccd2d247a027366db68cf3c8d4956
Opcode Fuzzy Hash: c95ad65631ac09b17a4e91c233390ca2db0ab23769330ebdb20dd24c59105d5b
Instruction Fuzzy Hash: 241130B28002089FCB10CFAAD444BDEFBF4EB88324F05842AE519A7300D374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BD9850, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00BD98B6

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c1a84ced1ad6739cfb8a2d434558ea1218833a9b9240c199548ee1a74680d4c5
Instruction ID: dd897a6cb4f74ea2831d3f129fe8527d2440005cb84d8a735ad7b8491bac561f
Opcode Fuzzy Hash: c1a84ced1ad6739cfb8a2d434558ea1218833a9b9240c199548ee1a74680d4c5
Instruction Fuzzy Hash: 7711FDB6C002498BCB20CF9AD444BDEFBF4EB89324F14846AD429A7600D375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BDDC7C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,00BDFF08,?,?,?,?), ref: 00BDFF7D

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 83af644382d31b7a00569008033771fd20fb260fe304eb88daf968479df0558e
Instruction ID: f1edfcf05a7222f75540e87b36edb81fa1d1dcd9e102a26dc095ff48fe04ba20
Opcode Fuzzy Hash: 83af644382d31b7a00569008033771fd20fb260fe304eb88daf968479df0558e
Instruction Fuzzy Hash: DF1122B58042099FDB20CF99D484BEEFBF8EB49324F14846AE919A7300D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416209644.0000000000B7D000.00000040.00000001.sdmp, Offset: 00B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7205135c10856c90c2bbbca165222ac26391048a60fb1b7883d79ad5cf2aa880
Instruction ID: ca0c1d32c7d1985e5c676e1f223386c624c704f5fa7403ea298160d5f2124caf
Opcode Fuzzy Hash: 7205135c10856c90c2bbbca165222ac26391048a60fb1b7883d79ad5cf2aa880
Instruction Fuzzy Hash: 002122B1504244DFDB15DF14D9C0B26BFB5FFA8368F24C6A9E9095B206C336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416265531.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890391adde92a30493c2e2e98fd411056805e71d119f223e60406b008d8cfab6
Instruction ID: 36a8f087488e2017fed1d0fcbb19bb481e071433d3b3463c2414e87f4d5cc0c1
Opcode Fuzzy Hash: 890391adde92a30493c2e2e98fd411056805e71d119f223e60406b008d8cfab6
Instruction Fuzzy Hash: B2213771508304DFDB14EF10D8D4B26BBA5FB88324F24C6AAD8094B396C336D847CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416265531.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bd571e28c9aec462ed3ab12acd4e39f15092006ee85cf55aabd475d11e2f41e
Instruction ID: e5bd1e61a434974df7f059e7c0c0035121bb027ed32763552f768d57c792f0f9
Opcode Fuzzy Hash: 3bd571e28c9aec462ed3ab12acd4e39f15092006ee85cf55aabd475d11e2f41e
Instruction Fuzzy Hash: 9D2129B1504204DFDB01EF54D9C4F26BBE5FB88314F24CAAED9094B2A2C336D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D3C4, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416265531.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a082305038bb5971ac6244028d6a4287274bd4ae3951dc781c84c59eba33248
Instruction ID: c3ea6b3595859b257bf256397ac2a19052ee251100551b010eeebf11504e79a2
Opcode Fuzzy Hash: 2a082305038bb5971ac6244028d6a4287274bd4ae3951dc781c84c59eba33248
Instruction Fuzzy Hash: 302105B1908244DFD714EF14D9C4B2ABBE5FB94324F28C6AAD5094B391C736E806C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416265531.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e596c49393ab147330bc766822bfa145ac6fff081f07449119cc1dd575971430
Instruction ID: 764f75f6e1a49aac4c322bb8247c60b3ef9e72d05fe6140f36fe2650924e3fbf
Opcode Fuzzy Hash: e596c49393ab147330bc766822bfa145ac6fff081f07449119cc1dd575971430
Instruction Fuzzy Hash: 0921A7755093808FDB02CF24D994715BF71EB45314F28C5DBD8458B6A7C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416209644.0000000000B7D000.00000040.00000001.sdmp, Offset: 00B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction ID: 6c3d73e02936268d2dd40ca5b6dd34c24f1caeabbb751224403148ea319d2230
Opcode Fuzzy Hash: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction Fuzzy Hash: 6D11D376504280CFCB11CF14D9C4B16BFB1FF94324F24C6A9D8490B616C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416265531.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e48e4748a45bc7b91dcd6aa8ebc28c847b65a88b089b38da77094b7edb9447c
Instruction ID: e01663db59fa4e0055831ae24e07c018cfd841f60f5e8015f66a56bf40c870de
Opcode Fuzzy Hash: 4e48e4748a45bc7b91dcd6aa8ebc28c847b65a88b089b38da77094b7edb9447c
Instruction Fuzzy Hash: 16119D75904284DFDB11DF14D9C4B15FBB1FB84324F28C6AED8494B6A6C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00B8D3BF, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416265531.0000000000B8D000.00000040.00000001.sdmp, Offset: 00B8D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dbf85d914fe0d6ddc1fd61b5b9352e27c7d992790d7085f398c905dc7029a7
Instruction ID: d14c20f2a763c3e4426416fb322dce0e54f9e058437e56e9b63435c9f7b2fe5c
Opcode Fuzzy Hash: 12dbf85d914fe0d6ddc1fd61b5b9352e27c7d992790d7085f398c905dc7029a7
Instruction Fuzzy Hash: 8B11C675504284CFDB11DF14E5C4719FBB1FB84324F28C6AAD8494B756C33AE84ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416209644.0000000000B7D000.00000040.00000001.sdmp, Offset: 00B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb28dc561794701cc7e53eb764c534cbb73199fc5f6aea469fe822caf72798d
Instruction ID: d975e53c90f869105b517d6f21307ecb1e314587a367595905ec5b7152ff09b5
Opcode Fuzzy Hash: bdb28dc561794701cc7e53eb764c534cbb73199fc5f6aea469fe822caf72798d
Instruction Fuzzy Hash: 6601F7715083449AE7244A26CCC47A6FBE8EF943B4F18C599ED1D5B247C3789C44C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 00B7D730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416209644.0000000000B7D000.00000040.00000001.sdmp, Offset: 00B7D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff206a95adeb08a8b07fa0de1e09e89675f9570ba417865253ab5dcef24e06d
Instruction ID: 1c11a6501c3bdc9aeb2df182d144f77652745e1d85dbcfdd257046d06458f3bc
Opcode Fuzzy Hash: bff206a95adeb08a8b07fa0de1e09e89675f9570ba417865253ab5dcef24e06d
Instruction Fuzzy Hash: E9F0C2724042449FE7148A16CCC4BA2FBE8EF91374F18C55AED081B286C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BDE558, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77452addc65b8131735a46edfd99831d3a684cda7d16dc9916ea9e938e63b876
Instruction ID: b3cc29c4deaae7302e4355d26ad663e6844d65747d1b097a74d7683286b794b4
Opcode Fuzzy Hash: 77452addc65b8131735a46edfd99831d3a684cda7d16dc9916ea9e938e63b876
Instruction Fuzzy Hash: 5412B5F9E917468BD310CF65E8881893FE1B765328BD0CA0BD2612BAD1D7B4116ECF48

Uniqueness

Uniqueness Score: -1.00%

Function 00BDC114, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a0a93a649e93b787b59db4ad13dca9aaa9c168be1374983a2b36772f65de34
Instruction ID: 531d32b8f6c724d004337b3427d6d4c48f4e650e021ee23dec095c6fd07dd298
Opcode Fuzzy Hash: 52a0a93a649e93b787b59db4ad13dca9aaa9c168be1374983a2b36772f65de34
Instruction Fuzzy Hash: 26A14D36E0061A8FCF05DFA5C94499EFBF2FF85300B1585AAE905BB261EB35A915CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00BDE548, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.416399360.0000000000BD0000.00000040.00000001.sdmp, Offset: 00BD0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f18593cdda6c7a80d77c8fdbdf9c294101ece3743e17277e0c58224cc4432f8
Instruction ID: 31f111ad74369b8b28653e8a91427bd74735239fe6f0a46024d631ff074b5d38
Opcode Fuzzy Hash: 6f18593cdda6c7a80d77c8fdbdf9c294101ece3743e17277e0c58224cc4432f8
Instruction Fuzzy Hash: 02C10DB9E917468BD710CF65E8881897FE1FBA5328F918B0BD1612B6D0D7B4106ECF48

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: file2.exe PID: 6012 Parent PID: 2540 file2.exeCOMMON

Executed Functions

Function 07DC9E90, Relevance: 1.8, Strings: 1, Instructions: 530COMMON

Download Yara Rule

Strings

@ /l, xrefs: 07DCA1E8

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: @ /l
API String ID: 0-3557151967
Opcode ID: 3812a27771f3dba6a2b71c62ba876fd3b3a6b491a9e86612b2ebe380df534cbf
Instruction ID: 13ba01c214df85e1f7628a538df8bfc15e52210ffcb73966972b90b737108b62
Opcode Fuzzy Hash: 3812a27771f3dba6a2b71c62ba876fd3b3a6b491a9e86612b2ebe380df534cbf
Instruction Fuzzy Hash: 161270B4B0021A8FCB14DF79C4549AEF7F6BF89214B158169E906EB365DB30EC41CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07DEF4B0, Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432135918.0000000007DE0000.00000040.00000001.sdmp, Offset: 07DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac960e0aba3c93af0662d3507028bfe7249fb2c1c5787ff21e226ad5ca51ff61
Instruction ID: e45a474ea1d4e4ed8b6c4999d2c6ffb3b207f1a0acc97b913f966d380157fc50
Opcode Fuzzy Hash: ac960e0aba3c93af0662d3507028bfe7249fb2c1c5787ff21e226ad5ca51ff61
Instruction Fuzzy Hash: 26126BB4A042069FCB15DF68C5849AAFBF2FF89204B1AC499E549DB762C730EC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 07DC5DE8, Relevance: 37.0, Strings: 27, Instructions: 3208COMMON

Download Yara Rule

Strings

\}l, xrefs: 07DC7005
,1k, xrefs: 07DC8DF1
xxl, xrefs: 07DC67F2
h1yl, xrefs: 07DC7C25
1k, xrefs: 07DC8B3F
t5yl, xrefs: 07DC6CEE
d+}l, xrefs: 07DC7899
t%yl, xrefs: 07DC68B4
xl, xrefs: 07DC9042
LQzl, xrefs: 07DC928C
(}l, xrefs: 07DC7198
d zl, xrefs: 07DC92ED
<}l, xrefs: 07DC6FA4
hC}l, xrefs: 07DC7D50
8}l, xrefs: 07DC8006
<n}l, xrefs: 07DC77D3
(1k, xrefs: 07DC8A1C
Gzl, xrefs: 07DC7BC4
t1k, xrefs: 07DC8CCE
\xl, xrefs: 07DC5FD2
l1k, xrefs: 07DC89BB
Xc}l, xrefs: 07DC8E52
X1k, xrefs: 07DC86A8
xxl, xrefs: 07DC81F6
1k, xrefs: 07DC882C
H1k, xrefs: 07DC8BA0
D!yl, xrefs: 07DC61D0

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: Gzl$ 1k$(1k$(}l$,1k$8}l$<n}l$<}l$D!yl$H1k$LQzl$Xc}l$X1k$\xl$\}l$d zl$d+}l$h1yl$hC}l$l1k$t%yl$t5yl$t1k$xxl$xxl$1k$xl
API String ID: 0-575388755
Opcode ID: bf34df0324a6a3e5a54a8021dfdb6aa1117442fc226ecc357dbbad19743ddd5a
Instruction ID: eea001d4d39234c02c76c3778bcfef8be6575100c9504b7eedcce1825e43fbb2
Opcode Fuzzy Hash: bf34df0324a6a3e5a54a8021dfdb6aa1117442fc226ecc357dbbad19743ddd5a
Instruction Fuzzy Hash: 6E636F70A00219AFDB259FA4CC51BAD7776FF89704F1040D9E70A6B6A1CB716E81CF26

Uniqueness

Uniqueness Score: -1.00%

Function 07DC41C1, Relevance: 4.0, Strings: 3, Instructions: 242COMMON

Download Yara Rule

Strings

\xl, xrefs: 07DC41E5
hC}l, xrefs: 07DC429B
g}l, xrefs: 07DC41F3

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: \xl$hC}l$g}l
API String ID: 0-3223250825
Opcode ID: dabc1af4d0989437bf4602bafab9751b4efdcaf0335a03084239713234d03fa6
Instruction ID: bc857bdd4b83a6388c3b82fc0c896192254ce29ef2534e1b2f8ec87ef083755e
Opcode Fuzzy Hash: dabc1af4d0989437bf4602bafab9751b4efdcaf0335a03084239713234d03fa6
Instruction Fuzzy Hash: 4E71A3B4B0818B8F9B24D6688571639BE92DFC6154B2640BEC656CF6B1DF70DC018B63

Uniqueness

Uniqueness Score: -1.00%

Function 02DE93F0, Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02DE9636

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 821c6b9cc011ab15af107c8a176c7678a8e619ca0d93d5dc270d154a72c6045a
Instruction ID: d58e668c45d7591dc9c1795258e96eaf2ccde7fddf70d70f90811883f6352901
Opcode Fuzzy Hash: 821c6b9cc011ab15af107c8a176c7678a8e619ca0d93d5dc270d154a72c6045a
Instruction Fuzzy Hash: 6F7113B0A01B058FDB24EF2AD1547AAB7F1FF88218F00892ED58AD7B50D735E805CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02DEEC1C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DEFE6A

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 411458a9d4b86e6a4b24e3d55d9fa60551bd30b25f2e1f645adf388b2b920106
Instruction ID: 767358c6627375c7ca169c524ca82c35ebd9d9d6ac26f2453d3dbac16f8717a3
Opcode Fuzzy Hash: 411458a9d4b86e6a4b24e3d55d9fa60551bd30b25f2e1f645adf388b2b920106
Instruction Fuzzy Hash: 4351CFB1D003089FDF14DF99D884ADEBBB5BF48314F24822AE419AB211D770A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DEFD4C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DEFE6A

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: bfcf56527386c9d26d3ebf0dbc46997b55f4f6d24e54ef90849d9ffb326b9eb9
Instruction ID: 13929bc807c94d1e47bbfd33aa4dabfa8708d773456f0359b8de64b2a5aac11f
Opcode Fuzzy Hash: bfcf56527386c9d26d3ebf0dbc46997b55f4f6d24e54ef90849d9ffb326b9eb9
Instruction Fuzzy Hash: 2951C0B1D002089FDF14DFA9C984ADEBBB1BF48314F25822AE419AB711D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DE5344, Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02DE5401

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3b93326b746eef6f40d2a20415a3c4840dae3477cc21bcc92e559929bbf5a078
Instruction ID: 0fed6b18ea2e1ca5b5dfbaf04b373ef9a916a63cc38e1337283616d594bf1271
Opcode Fuzzy Hash: 3b93326b746eef6f40d2a20415a3c4840dae3477cc21bcc92e559929bbf5a078
Instruction Fuzzy Hash: 83410271C04219CADB24DFA9D884BCDBBB1FF49308F61806AD409AB251DB755946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE3E14, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02DE5401

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 473c490a55038459189ae2ac46aa2d32d2879184d6591a653eca699e6b388db8
Instruction ID: 9fa9eb4f361d00c54bdea86d6862701b220533d7cc3bc871a3d5d3bb59dc9d48
Opcode Fuzzy Hash: 473c490a55038459189ae2ac46aa2d32d2879184d6591a653eca699e6b388db8
Instruction Fuzzy Hash: 20410271C0421DCBDB24DFA9D8847CEBBB1BF49308F61806AD409BB250DB756945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DE9669, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02DE9636

Part of subcall function 02DE8E78: LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DE96B1,00000800,00000000,00000000), ref: 02DE98C2

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 3447e80ae68f8bdf6e5525470ab67a0982efea4ca2d3a452ce89b26a8ffe71d7
Instruction ID: f06149efb7d2ec4de0480170c5bc75cf73a6977f6f0edf08e279855b9c507663
Opcode Fuzzy Hash: 3447e80ae68f8bdf6e5525470ab67a0982efea4ca2d3a452ce89b26a8ffe71d7
Instruction Fuzzy Hash: 2011D2B1A052844FDF10EB69D8107DAB7F5EB85318F04805AC44AE7352D7359C05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DEAAEC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DEB8D6,?,?,?,?,?), ref: 02DEB997

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ecac7031bccf3561d904929e5dce7f87f1cabf4401f115c944e8fa8a568ea380
Instruction ID: 0375cedbbe46898090ca6fee2eb0587869ffd6c6ff32372b588f7c6a7fea34c1
Opcode Fuzzy Hash: ecac7031bccf3561d904929e5dce7f87f1cabf4401f115c944e8fa8a568ea380
Instruction Fuzzy Hash: 7021E3B5900208AFDB10DFAAD984ADEFBF4FB48324F14841AE959B3310D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DE8E60, Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DE96B1,00000800,00000000,00000000), ref: 02DE98C2

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6df14a2820d12e61f9ce1ef79c01cc47d56d25208793abea218d1f919d92c887
Instruction ID: abe2e3618e82db4f9522ee53f3b6267f94ec9c1d61dcfe3d7144edf4aa06673e
Opcode Fuzzy Hash: 6df14a2820d12e61f9ce1ef79c01cc47d56d25208793abea218d1f919d92c887
Instruction Fuzzy Hash: 90216AB6C043488FCB10CFA9D494ADAFBF4EB58324F15846AD56AA7311C3749849CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DEB908, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DEB8D6,?,?,?,?,?), ref: 02DEB997

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aa974598d7e529a3a64d3a122059ee7da151140d6a744a6571e0037ce65f95f2
Instruction ID: da9cd746504320a966325b5d5e6a512c81af1d0a105102d960bf49ef6c903efe
Opcode Fuzzy Hash: aa974598d7e529a3a64d3a122059ee7da151140d6a744a6571e0037ce65f95f2
Instruction Fuzzy Hash: 5C21DFB5900208AFDB10CFA9D984ADEBBF4EF48224F14841AE959A3311D378A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DE8E78, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DE96B1,00000800,00000000,00000000), ref: 02DE98C2

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 581a17b91d9c4e97f3cd414ea48244506e94d967fd781e26ea773cd218824456
Instruction ID: c37cef46d576f152ddf96b348731209b508bce69fb5f8adabe3291cf2b636628
Opcode Fuzzy Hash: 581a17b91d9c4e97f3cd414ea48244506e94d967fd781e26ea773cd218824456
Instruction Fuzzy Hash: 1D1117B6D002489FCB10DF9AD484BDEFBF4EB88324F04842AD526A7710C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DE9850, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02DE96B1,00000800,00000000,00000000), ref: 02DE98C2

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6f4a8171e75ba6a381ea306fcd58f6bbed0c97e690c78ab6934c63c9a91edfbe
Instruction ID: 36a996ae2ba0739cb84d536c5e6ebd3c03b808b41d459e923e1aebdb38262280
Opcode Fuzzy Hash: 6f4a8171e75ba6a381ea306fcd58f6bbed0c97e690c78ab6934c63c9a91edfbe
Instruction Fuzzy Hash: 791126B6D002089FCB10CFAAD484BDEFBF4EB88324F14852AD51AA7710C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02DE95D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02DE9636

Memory Dump Source

Source File: 00000005.00000002.419015068.0000000002DE0000.00000040.00000001.sdmp, Offset: 02DE0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fc975a1341085d4f49f16f4ffe599b87fff3f979fdc1e7fd4147bf18908c713e
Instruction ID: 8ce42682334363f90f8cb8279cd75a4ccb30ed062e951026fe50efb4fe0e9ce3
Opcode Fuzzy Hash: fc975a1341085d4f49f16f4ffe599b87fff3f979fdc1e7fd4147bf18908c713e
Instruction Fuzzy Hash: 2211CDB6D012898FCB10DF9AD444BDEFBF4AB88224F14846AD41AA7700D379A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 07DCA590, Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

hC}l, xrefs: 07DCA7C8

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: hC}l
API String ID: 0-1939806625
Opcode ID: f3933adcf1f65056d2534d52e9f7c11229015108bd0e00fc4f163e64ab15fcae
Instruction ID: 1b4183651b07666af21934d6a21f13c559913751ead4704c79530cedddf8c49e
Opcode Fuzzy Hash: f3933adcf1f65056d2534d52e9f7c11229015108bd0e00fc4f163e64ab15fcae
Instruction Fuzzy Hash: 8B716BB47142068FC714DB39D458A2AB7FAAFC9615B1580AEE546CB3B2DA30DC41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 07DEFA58, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

@, xrefs: 07DEFBD2

Memory Dump Source

Source File: 00000005.00000002.432135918.0000000007DE0000.00000040.00000001.sdmp, Offset: 07DE0000, based on PE: false

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e5f0313a9b6660e0ec642bb64cf170dafc6d9e6c28c813c7f93355f3d9a2482e
Instruction ID: 57bbf3f4bb964cf51730581273c845515060f81a471a4513015b283255152b8f
Opcode Fuzzy Hash: e5f0313a9b6660e0ec642bb64cf170dafc6d9e6c28c813c7f93355f3d9a2482e
Instruction Fuzzy Hash: 8D51AEB1A0020ADFDB46DF68C895AAEFBF5FF88310F148466E955AB251D730DD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07DC0388, Relevance: 1.4, Instructions: 1391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a01333327b799f9921833f4b23c9132b23ae395b1546016629b5556d0ec221
Instruction ID: 98692949f2c6d479a1d0b5d70cfa2dbf8e319368d9029715ad2a7a0b4d635afa
Opcode Fuzzy Hash: c6a01333327b799f9921833f4b23c9132b23ae395b1546016629b5556d0ec221
Instruction Fuzzy Hash: 64E2FAB4A00219DBDB24EFA0E894BAE7733FB98304F10419DDA0A67795CB751D82CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07DCBD48, Relevance: 1.4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

Strings

hC}l, xrefs: 07DCBDBE

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: hC}l
API String ID: 0-1939806625
Opcode ID: edc3f9ab5be1d252e23c3ae2bfd36421e93bf18110e079f85da3b01e2bb3555b
Instruction ID: 18cd56fc5d98e983d54229a020a8653d44f00ae9fb12b73eefe4a0745de177d8
Opcode Fuzzy Hash: edc3f9ab5be1d252e23c3ae2bfd36421e93bf18110e079f85da3b01e2bb3555b
Instruction Fuzzy Hash: C45149B07081058FC718DB39D095826B7F6AF9A61472684ADE64ACF776CE31EC42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07DCBD38, Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

hC}l, xrefs: 07DCBDBE

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: hC}l
API String ID: 0-1939806625
Opcode ID: e7b1fb1b4f139b6acb5af5fee55ce08ce0c1db6e27ae03ec471d59226348e034
Instruction ID: 0fbb4de6a895da94a4bf81ddf8220521abba4f37b3eb16fa2f1f7095bf95f926
Opcode Fuzzy Hash: e7b1fb1b4f139b6acb5af5fee55ce08ce0c1db6e27ae03ec471d59226348e034
Instruction Fuzzy Hash: FC419CB07081058FC718DB39E095826B7E6EFDA61472644AEE24ACF776CE71DC41CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07DC2AE0, Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

pF/l, xrefs: 07DC2AF8

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: pF/l
API String ID: 0-1752472556
Opcode ID: de65f52b7d956737f56baa69d739609ebc8853d797553d6073db7f152bc0650a
Instruction ID: 76fcdeb470a9e136a16c667ce01a3190f3d55934bc55c1cf33201a86b9cdcd25
Opcode Fuzzy Hash: de65f52b7d956737f56baa69d739609ebc8853d797553d6073db7f152bc0650a
Instruction Fuzzy Hash: 0C4191B02047026FC765EF29D440A89B7E2BFC525CB41CE1DC25A8FA62CB71B80DCB95

Uniqueness

Uniqueness Score: -1.00%

Function 07DC2AF0, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

pF/l, xrefs: 07DC2AF8

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: pF/l
API String ID: 0-1752472556
Opcode ID: 5e297801629550448e8fe90e61bfd88e71c551ad836484066ffb6fb7e3510cd1
Instruction ID: 9f28ab311ae380ba68fa973f023bee033cee1f8f2f81aac7f0e83d161ce33e4c
Opcode Fuzzy Hash: 5e297801629550448e8fe90e61bfd88e71c551ad836484066ffb6fb7e3510cd1
Instruction Fuzzy Hash: 844183B02047066FD764EF25D440A49B7E2FFD525CB41CE1DC25A8BA62CB71B80DCB95

Uniqueness

Uniqueness Score: -1.00%

Function 07DC3268, Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

P, xrefs: 07DC3274

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: a5551822b1ff8ac136df979f2c23f76d4b62b7ef518c69443b6a303cf5c837c6
Instruction ID: 1293a8e79c32641de7f753f24c7f0d36f3079d66ff3780106c16bccdcead8284
Opcode Fuzzy Hash: a5551822b1ff8ac136df979f2c23f76d4b62b7ef518c69443b6a303cf5c837c6
Instruction Fuzzy Hash: 7AD0C93090E3CACFCB578B648990495FB30EF0722D31945DBD9848BA52D7755D34EB52

Uniqueness

Uniqueness Score: -1.00%

Function 07DCA7F8, Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd2e0970c455c0e0ddfdcd71cae663d64969e1b8f0a9d51bdc2eccef10cb9f4
Instruction ID: 0a5bc9f15497f1476cd116114103cc1839d3f28ecd124d77d83f4cdb389e0c7a
Opcode Fuzzy Hash: 6dd2e0970c455c0e0ddfdcd71cae663d64969e1b8f0a9d51bdc2eccef10cb9f4
Instruction Fuzzy Hash: 43325DB470060A8FCB14DF39C598A6ABBF2FF89204B1585ADE546CB361DB30EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07DEEDE8, Relevance: .6, Instructions: 555COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432135918.0000000007DE0000.00000040.00000001.sdmp, Offset: 07DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fc80dc366454d19a44d37cadc93cf92185ebbd991576f0f08116975e595f94c
Instruction ID: a4ca2f973e13bbc628fa35f7e29c5de3bcacf0605a6b630d51656420a2ba6c18
Opcode Fuzzy Hash: 2fc80dc366454d19a44d37cadc93cf92185ebbd991576f0f08116975e595f94c
Instruction Fuzzy Hash: 3722F0B1A04245DFDB12DF68C480AAEFBF6FF89310F19849AD5499B652C730EC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DEE811, Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432135918.0000000007DE0000.00000040.00000001.sdmp, Offset: 07DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a643f1c813882e380597547abb3e2046501c4c3ae594954a220d915c943cfc83
Instruction ID: 60ba60b184e1c3fbfacd06fe52840fa0ff795664c9b23ba89beb6f144eec2a66
Opcode Fuzzy Hash: a643f1c813882e380597547abb3e2046501c4c3ae594954a220d915c943cfc83
Instruction Fuzzy Hash: EC2226B0600706CFDB25EF64C58496AFBF6FF88314B198A69D44A9B661DB30FC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07DCEF88, Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f06288dbff1e129cf71ee4df1d5196223316f51c5d6df6b46314585e6820d4
Instruction ID: 062da0eae9e2de6d4adce9816b471dfc9672634cad20e270515f707007f4461e
Opcode Fuzzy Hash: 92f06288dbff1e129cf71ee4df1d5196223316f51c5d6df6b46314585e6820d4
Instruction Fuzzy Hash: 85D1BDF2B15227AFCB25CB6884006AAFBA3AF89610F15456ED845DB355CB30DC42CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 07DCA7E8, Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad59e02d3eecd16af65eec5343bcc322d1864ea776245e8b100fab4c83d09aff
Instruction ID: 20ee236343c2ad63739fadf6f0a73ffafa869ccf910c7c568aeeadeacee7f120
Opcode Fuzzy Hash: ad59e02d3eecd16af65eec5343bcc322d1864ea776245e8b100fab4c83d09aff
Instruction Fuzzy Hash: 38B1377470060A8FCB14DF39C598AAABBF2BF89204B1584ADE546DB371DB30ED05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 07DC0007, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1777d1edd16ceb24f8cab2b611c80c233340766aa8a76c9ba57cbcad413ca6c2
Instruction ID: 2420c0f204676b3e48445cc5abc070a9bc7a35fa9f3155b5d318a8d3e125a4ff
Opcode Fuzzy Hash: 1777d1edd16ceb24f8cab2b611c80c233340766aa8a76c9ba57cbcad413ca6c2
Instruction Fuzzy Hash: 31B149746043469FC715EF24C484C9ABBB2FF892187158A99E54ACB772DB30FD4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 07DC0040, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce48b318ab781b4a06a220cffd3e2ae33e6ca9813502dcd9fd8e9e37050be27f
Instruction ID: 1494569da79d6c7c800690dc0b22bae94c45a83b6e8c7f0e823727bb90958269
Opcode Fuzzy Hash: ce48b318ab781b4a06a220cffd3e2ae33e6ca9813502dcd9fd8e9e37050be27f
Instruction Fuzzy Hash: E0A11C746007069FC754EF24C484D9ABBB2FF892187118A99E54ACB772DB30FD4ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 07DC5309, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c0c5fd0ef87f3c8836c76bbecee8dff5bd96b92910977233f7194510b45d29
Instruction ID: cc1cbdd19a7de34e4d87d320928f882fc2f2ef8aa1134b4a937c09a381b58abe
Opcode Fuzzy Hash: e8c0c5fd0ef87f3c8836c76bbecee8dff5bd96b92910977233f7194510b45d29
Instruction Fuzzy Hash: 4871D1F16142179FC700EB64E4148ACB7B2FF8A119706895EDA07AF211DF34ED0ACBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07DCB040, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a892a7b89d4867fd1ca028abbcdb63fc351c056ba0cdee26e814e8193499518
Instruction ID: ec5dd21047a95776c547347f2dce3c68c5c6e697ff13c56883d98766b3d5e31a
Opcode Fuzzy Hash: 9a892a7b89d4867fd1ca028abbcdb63fc351c056ba0cdee26e814e8193499518
Instruction Fuzzy Hash: A38152B5A00256CFCB15DF68C4459AEFBF6FF89210B15809AE915EB361D730ED01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DC5318, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79615a9f6f0608d3124e3af2a5d7256a6a97f9060b03c8897be8114071505f6e
Instruction ID: 7edb32379db755116da02a00cf54878ba18631ae89b4a0f6e594b4b2070972cf
Opcode Fuzzy Hash: 79615a9f6f0608d3124e3af2a5d7256a6a97f9060b03c8897be8114071505f6e
Instruction Fuzzy Hash: 7271AFF16142179BC700FB64E4148ACB7A2FF8A119706895EDA07AF215DF34ED0ACBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07DCB628, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da173c2b921dd64abb9dea47fc027a5c0147355316ea06cf07d2c02b36df906
Instruction ID: 77c5bcc43d11ab96e3a300ebf346e035a77c592c3f086b423013980d27f46e5b
Opcode Fuzzy Hash: 9da173c2b921dd64abb9dea47fc027a5c0147355316ea06cf07d2c02b36df906
Instruction Fuzzy Hash: 6861D2B56046069FC701CF28C48089AFBF6FF8A314716C5AAE555CB262D731EC1ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 07DC2420, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b560d60bf20a2ef747fd61a49892becc1c297d28b992365b9df1c24f01a96505
Instruction ID: 9919fbff9066a97dabb0a5965e2b6e60f69a1470b2adde05c47285e24ec1cb28
Opcode Fuzzy Hash: b560d60bf20a2ef747fd61a49892becc1c297d28b992365b9df1c24f01a96505
Instruction Fuzzy Hash: 07718EB560420B9FCB10DF58D88099EF7B6FF88328B15CA59D6199B251DB30FC06CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07DC9E7F, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1d4f3b3c421e098996a8d49d95bf28012597196887bec86d2f9a88137bc548
Instruction ID: 44c66c4080c1f08c47130a1b534c50b5830cf568032c1a5ccbadd0cf133bc001
Opcode Fuzzy Hash: 2d1d4f3b3c421e098996a8d49d95bf28012597196887bec86d2f9a88137bc548
Instruction Fuzzy Hash: C06131B0B0021B8FCB14DF69D454AAEF7F6BF89604B15816AD505EB365DB30DC01CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 07DEE0D8, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432135918.0000000007DE0000.00000040.00000001.sdmp, Offset: 07DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4731853713a396831e80e303ee0e391db22ce9bda1156b1be8cf1e850d6f99
Instruction ID: 0316c603a1c8d87c7b7a7b450bea659aec6bc4e482c46fcd0f9f4bdb6fbb5891
Opcode Fuzzy Hash: 1d4731853713a396831e80e303ee0e391db22ce9bda1156b1be8cf1e850d6f99
Instruction Fuzzy Hash: D241BEF1608742DFE732DE25C584B66B7E8BB45318F04499DD48A83A92D774E8C8CB62

Uniqueness

Uniqueness Score: -1.00%

Function 07DC3EDB, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0763009700a180dd13f40998510469c6a34ae37e7c10adc2242b4c81e2fdba68
Instruction ID: 10815bde37f165e8fd5c03bb951946b9dbbf8e9decba836baffc357fcba2e863
Opcode Fuzzy Hash: 0763009700a180dd13f40998510469c6a34ae37e7c10adc2242b4c81e2fdba68
Instruction Fuzzy Hash: C6419C343003068FC725AB34D454A6AB7F7FF89219B048E6DD64B8B691DF35A80ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 07DC5DD7, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c91491c6b0a78b67575197637ec6372fc5eb7a832e40e5bb5df6c49f138f192
Instruction ID: 0c0d3ee44711a4c474bc60469f913749c2ea80e6f089726621c15f9b4594b38e
Opcode Fuzzy Hash: 0c91491c6b0a78b67575197637ec6372fc5eb7a832e40e5bb5df6c49f138f192
Instruction Fuzzy Hash: D0516DB0A0021A8FCB04CFA8D8409AEFBF6FF49314F258559D515AB351DB30E952CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07DCE813, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504c11cd0631fe506003359c58e8c742f22af330b8ea24bb49b77bd0ba7b8346
Instruction ID: d40685aa373e44c7a9e51736415f3c8f22d48aa0c5d7f12b54dfb18a56e8c48d
Opcode Fuzzy Hash: 504c11cd0631fe506003359c58e8c742f22af330b8ea24bb49b77bd0ba7b8346
Instruction Fuzzy Hash: 93415C74B10215CFDB18DB74D491AAEB7F3AFC9258B14446DE802AB395CF399C02CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07DC3EF0, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740cce745f5fed9875efe6467acfc8a6c4675bbb79aee917b550e1c29ea14f97
Instruction ID: b94fdbf4d2dbfea87835533946ba1db1198f3ada1bc7f37ab0ab62af2b339da6
Opcode Fuzzy Hash: 740cce745f5fed9875efe6467acfc8a6c4675bbb79aee917b550e1c29ea14f97
Instruction Fuzzy Hash: 89415C343003069FC724AB34D458A6AB7E7FBD8219B048E6CD64B8B651DF35B80ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 07DCB100, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7558ebdba60041248a7a75a8f33f2e6440b76533f670a834c28975a0e7c263f9
Instruction ID: c8ef08f5468e8dbcc23a528b6a2b97251036ed4a06c4bf92ff088acd2edd563a
Opcode Fuzzy Hash: 7558ebdba60041248a7a75a8f33f2e6440b76533f670a834c28975a0e7c263f9
Instruction Fuzzy Hash: 0D414DB4B10146CFCB14DF68C58996EBBF2FF49254B1580AAE905DB362DB30ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 07DCB4B0, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513eda844d0d252954713299fca6a3a81b03ce1c3e4aa165cc1294f34e1e1f3f
Instruction ID: 4a5aed526e52df018753f10a54fc6cc9863a2c850701aa4714f6af4f7dc679d3
Opcode Fuzzy Hash: 513eda844d0d252954713299fca6a3a81b03ce1c3e4aa165cc1294f34e1e1f3f
Instruction Fuzzy Hash: 84318CB5B043159FCB05DF34D49496EBBB6BF89304B0485AAE905CB361DB35ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07DCB4C0, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1e721f17d4f5ec8b06a80a46971cb123a4dfd9eb633b72d6786a67467ca77d
Instruction ID: 109c6f546505d1255558a6a45f8a64bfd3db762172c55b620338b5da653f74b6
Opcode Fuzzy Hash: 9b1e721f17d4f5ec8b06a80a46971cb123a4dfd9eb633b72d6786a67467ca77d
Instruction Fuzzy Hash: 55315AB4B002159FCB15DF34D49496EBBB6FF89314B148569E906CB361DB31ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07DC3091, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2412cd1ea705bfae654fdd6e0a6bc4fdce18c0155c8ff88b094a6b892a9a05d5
Instruction ID: 8597f2aee505850926879dbf57d3a9471c027a5b3d50a3b2d4e90990e92166aa
Opcode Fuzzy Hash: 2412cd1ea705bfae654fdd6e0a6bc4fdce18c0155c8ff88b094a6b892a9a05d5
Instruction Fuzzy Hash: 1821D1743043066FE728AB71A854BBE2293EFD1128F0A8D2DD6039F6C4DE715C0E8398

Uniqueness

Uniqueness Score: -1.00%

Function 013FD4C4, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418598611.00000000013FD000.00000040.00000001.sdmp, Offset: 013FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6affeba5fb0eadb3d235a5e3e2749579f7dfdc7c0aed88cdcb77373d113508dc
Instruction ID: f00fbb2764406d4ad7c0c86bee06acabbcb6022e33ae075da601ba31240953bc
Opcode Fuzzy Hash: 6affeba5fb0eadb3d235a5e3e2749579f7dfdc7c0aed88cdcb77373d113508dc
Instruction Fuzzy Hash: F02125B1504248DFDB11DF94D9C8B26BF65FB8832CF24856DEA094B607C336D846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07DCCDB0, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62242261f401dbc61fc1ab452cd10228b052f101a91d717e7cbd34938b4b0768
Instruction ID: b33ae4f28edd26a562c27f0fb16b902ead9bba007faa19ffe7e4d7cff839c358
Opcode Fuzzy Hash: 62242261f401dbc61fc1ab452cd10228b052f101a91d717e7cbd34938b4b0768
Instruction Fuzzy Hash: 53110BB32083D56FCB124F6D5C20CAB7FB8AE9A1257094197FAD8C7292D528CD15D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 0140D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418660184.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37077b90be031770214bcbe400e32cf175a5ea0f2db7b0c52a65a2ad1e924a7c
Instruction ID: f5bfcd56823e08007a1061283fdfcd4e4a58254ae14c06cf05454ffa1399f28e
Opcode Fuzzy Hash: 37077b90be031770214bcbe400e32cf175a5ea0f2db7b0c52a65a2ad1e924a7c
Instruction Fuzzy Hash: 6221F871904204DFDB02DFD5D9C0B26BB65FB84324F24C57ED9094B396C736D84ACA61

Uniqueness

Uniqueness Score: -1.00%

Function 0140D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418660184.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e39df9534e7bde5c5dbd4639e47f584777b76b3854bc706fd0859d2f972402ac
Instruction ID: 8d150042b85fc5773b81227336b44c1ed793e348e2b45ccabbc06d95e0835238
Opcode Fuzzy Hash: e39df9534e7bde5c5dbd4639e47f584777b76b3854bc706fd0859d2f972402ac
Instruction Fuzzy Hash: 5F2125B1904204DFDB16CF95D8C4B26BB65FB88368F24C57AD90D4B396C33AD84BCA61

Uniqueness

Uniqueness Score: -1.00%

Function 0140D3C4, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418660184.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f4e5227e23f5b6c33e9c6eb86e5f27717c08000fdca11b81a6baa64619ad49
Instruction ID: f385ed226469e9d64be881012345abc121b9ade1dfa223e240fd46b70cf1b5a2
Opcode Fuzzy Hash: c5f4e5227e23f5b6c33e9c6eb86e5f27717c08000fdca11b81a6baa64619ad49
Instruction Fuzzy Hash: EB215BB1D04244DFD702DF99D9C4B6BBB64FB84214F21C67AD5094B396C335E80EC6A2

Uniqueness

Uniqueness Score: -1.00%

Function 07DCC250, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42b5521ae4926d7703b12e5cbf3200ab146017d02dbab666585b11db2398ca43
Instruction ID: 11a762fb7a8468e09f090c2588adb3dd85d81bbff8ec894aa31d26363f358b2a
Opcode Fuzzy Hash: 42b5521ae4926d7703b12e5cbf3200ab146017d02dbab666585b11db2398ca43
Instruction Fuzzy Hash: CC216DB1B00116CF8B14DFB8D4909AEB7EAFF89215710406EE909DB350DB31DD02CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07DCA53F, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84d026f4374447cc16a0b7fc844b53c3e51375463c15801d69eb0850d7f39eab
Instruction ID: 36f3df408fc06d1d455b7c02ed06c697be82c6f0460e7a6095d9725c74a938a5
Opcode Fuzzy Hash: 84d026f4374447cc16a0b7fc844b53c3e51375463c15801d69eb0850d7f39eab
Instruction Fuzzy Hash: 5B1150B161D3865FC711C774A8809A5FF61AFC3224F45C1ABD2844F593C630C889C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 07DC31A8, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693ce103fffff529220d66c46e050dd9e94815f9e869c04a9c0f3f5ca1950f3a
Instruction ID: d5762eecdf42e7cf59b39159ae6a1fdcc2fc6c5ed04242a303f9f9cc772e2941
Opcode Fuzzy Hash: 693ce103fffff529220d66c46e050dd9e94815f9e869c04a9c0f3f5ca1950f3a
Instruction Fuzzy Hash: 3411D3713007168FCB20DBA8D48489AF7B1FF852287058A2DD5468B711EB75AC05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 07DCDE7B, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d358e047a3c18279b9e9cc52d67dd6efb0a0b309a11899ac9581e5cdf166706
Instruction ID: 748f9b6bdf0c0f0512e780455c732c6a5d72a17db1380848f568b2138eb27caa
Opcode Fuzzy Hash: 6d358e047a3c18279b9e9cc52d67dd6efb0a0b309a11899ac9581e5cdf166706
Instruction Fuzzy Hash: 0921B135B001199FC705EFA4E8448DEBBB2FFC9360B008166E905CB350DB359D1ADB92

Uniqueness

Uniqueness Score: -1.00%

Function 07DCC240, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8fa1727fd5fd4930063d09eea15d9acb4f9ddeff9c7c8652127972fd95cd289
Instruction ID: 1de18cffc76bd597a994c50982a42c73e85dd1b8607027722055d1ceb1dcf6eb
Opcode Fuzzy Hash: b8fa1727fd5fd4930063d09eea15d9acb4f9ddeff9c7c8652127972fd95cd289
Instruction Fuzzy Hash: CC117CB0B102168FCB15DFB8C49496EB7F6AF8920531580AEE905DB361DB31DC06CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 07DCF473, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b9274561c7d005954c9faacd14b6c60a8db24bc174df67c60d41f6d87f2f0e6
Instruction ID: 56735f6aaacb770df44909fbd5e54dada9ae94428c6742749a513e7263ac559d
Opcode Fuzzy Hash: 8b9274561c7d005954c9faacd14b6c60a8db24bc174df67c60d41f6d87f2f0e6
Instruction Fuzzy Hash: 9711E6B1B242069FCB11DF68D840AAFBBB7FF89210F01046AE6469B351DB70ED04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0140D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418660184.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62ed04cd788e7fb734e1fa0edb708de29465614ffc6965316417913e6bd0395
Instruction ID: 90e61dca8cf45b02b62bb2c5842ae8e00d1f0b687e724c35cfb984c32dcb3682
Opcode Fuzzy Hash: b62ed04cd788e7fb734e1fa0edb708de29465614ffc6965316417913e6bd0395
Instruction Fuzzy Hash: 2E2192755093808FDB03CF64D994716BF71EF46214F28C5EBD8498B6A7C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 07DEF4A1, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432135918.0000000007DE0000.00000040.00000001.sdmp, Offset: 07DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b4ee0f1df236081eaf392301d376908b58fd7f2bff66e44bfcf852f6a420a5
Instruction ID: fa692f2a87cdc38b6b78f0e4e36d31d26cd68f5682b87f31ea09bb1dd84c62a7
Opcode Fuzzy Hash: 02b4ee0f1df236081eaf392301d376908b58fd7f2bff66e44bfcf852f6a420a5
Instruction Fuzzy Hash: 7611BBB4A002068FC7A1EF19D544BAAFBF9FF45324F45816AD448CBA52E334E904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 07DCC0E0, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff085702bd73490fdc256351f127e986a188fa9265e0806595df31b8abc7449
Instruction ID: e7aabb8ae5c602d2bfca342d90275ef0b38de5853bd9b1a7c165460a020e126b
Opcode Fuzzy Hash: fff085702bd73490fdc256351f127e986a188fa9265e0806595df31b8abc7449
Instruction Fuzzy Hash: D4114671B1010A9BCB24DBA5D8586DEBBB6EB88620F14412DE50AF3394DF705D41CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 07DC0377, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22838a9c51dc7a529a2dd101ef50dbf4e407c0f2e635e43ae962a30415976a54
Instruction ID: e6c2e615888fb91548d4a5c97f37b45ceb7b9a906fffcd05ecb5dc03e4151ddc
Opcode Fuzzy Hash: 22838a9c51dc7a529a2dd101ef50dbf4e407c0f2e635e43ae962a30415976a54
Instruction Fuzzy Hash: 7D11C271705206CFC702EE68DA98B2AB7A6EBC4254B058169D505CF245CA34E807C762

Uniqueness

Uniqueness Score: -1.00%

Function 07DCC310, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e997c57abd3f6098f060a59a97feab245801239aafa6e22f96948e0659d734d9
Instruction ID: 1e267bfa307a82ba4187227c149a182a2f9cc6f9eef46c96987c7dd5555d0041
Opcode Fuzzy Hash: e997c57abd3f6098f060a59a97feab245801239aafa6e22f96948e0659d734d9
Instruction Fuzzy Hash: 6D114C713143019FC720DB68D844F96B7F4EB45714F05866AE358CFAA1D770E805C761

Uniqueness

Uniqueness Score: -1.00%

Function 07DC31B8, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e89d35721e6afeaebfd7c3c409425a9131b9c89ee110b6133136284c4cf081
Instruction ID: 75d2645c453e255255a33241f32b917440d22979aeb2abce6af60460bf1f8a0e
Opcode Fuzzy Hash: 86e89d35721e6afeaebfd7c3c409425a9131b9c89ee110b6133136284c4cf081
Instruction Fuzzy Hash: CD11A3717007168FCB24EFA9D48485EF3A6FFC52287058A2CD60A8B710EB75EC058B99

Uniqueness

Uniqueness Score: -1.00%

Function 013FD4BF, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418598611.00000000013FD000.00000040.00000001.sdmp, Offset: 013FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction ID: dfe8d209c6a5ce6d69ff6495e8e9b880dc69bcc530ff8de2e58d50c159ea6063
Opcode Fuzzy Hash: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction Fuzzy Hash: 0511B176404284CFDB12CF54D9C8B16BF71FB84328F24C6ADD9490B656C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 07DC2627, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b08f461e5b3f12bc9e44db73d8866216e07b64242ec6c6b2d1344098236716d
Instruction ID: 5dbda89bab209da32d1d65ded64546e49aef2b6524863bd9087f13419413d4dc
Opcode Fuzzy Hash: 8b08f461e5b3f12bc9e44db73d8866216e07b64242ec6c6b2d1344098236716d
Instruction Fuzzy Hash: 6C1151312047069BD724DF28D44485AB7B7FF842283148EADD55E8B652DF71A90AC788

Uniqueness

Uniqueness Score: -1.00%

Function 07DCA3C7, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c95d4c8cd82ef232f06cda9220595788a817f0f46fd06731dc90636878303d
Instruction ID: b2f9ddde6f54f7bd7d5918b674225fc4e0ce21d9b829726bddc8d966a532ffff
Opcode Fuzzy Hash: 22c95d4c8cd82ef232f06cda9220595788a817f0f46fd06731dc90636878303d
Instruction Fuzzy Hash: DD115B75B4010ACFD710CFA4C494A9DF7F2AF88214F15C1A9E5159B7A1DB31DC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0140D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418660184.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e48e4748a45bc7b91dcd6aa8ebc28c847b65a88b089b38da77094b7edb9447c
Instruction ID: 380474381a652f9b27d0eddaa5da0d711735eeba6727fa59f471fa075845c8a0
Opcode Fuzzy Hash: 4e48e4748a45bc7b91dcd6aa8ebc28c847b65a88b089b38da77094b7edb9447c
Instruction Fuzzy Hash: 8E118E75904280DFDB12CF98D5C4B16BB71FB84224F24C6AED8494B7A6C33AD45ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0140D3BF, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418660184.000000000140D000.00000040.00000001.sdmp, Offset: 0140D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12dbf85d914fe0d6ddc1fd61b5b9352e27c7d992790d7085f398c905dc7029a7
Instruction ID: aa90ca783432bdc405dfa9ab9bf8ee975b94215acfb21c62aff8eb883777fdd0
Opcode Fuzzy Hash: 12dbf85d914fe0d6ddc1fd61b5b9352e27c7d992790d7085f398c905dc7029a7
Instruction Fuzzy Hash: 4A11E371904280CFDB12CF58D5C4B5AFB71FB84224F25C6BAC8484B756C33AE44ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 07DEE3AB, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432135918.0000000007DE0000.00000040.00000001.sdmp, Offset: 07DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f96ed79ec06ab8aaedeb7b015f6c6eeb628b7929029fbb6d63ec680f3d9954
Instruction ID: 960c802cbd2c7baebc62178d6b8b26fe7b9a3c7edc947da225c2bb62471581e0
Opcode Fuzzy Hash: 82f96ed79ec06ab8aaedeb7b015f6c6eeb628b7929029fbb6d63ec680f3d9954
Instruction Fuzzy Hash: 4A0189F1708B51CFE3269AB9E0802AAF7B5FFC1225F18457AC44983341E775C446CB40

Uniqueness

Uniqueness Score: -1.00%

Function 07DC2638, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f441e175832d451ec7d80fbc451151489f9025d8930fcbecdc08919596dc1bf4
Instruction ID: 597918fe737df7b12c2fdd1ebf1ef69eef0ee1cc91e419e30577b214228ec16b
Opcode Fuzzy Hash: f441e175832d451ec7d80fbc451151489f9025d8930fcbecdc08919596dc1bf4
Instruction Fuzzy Hash: EE114F302007065BD724EF28D444C5AB7A7FFC822C3548E6DD65E8B262DF71B90AC794

Uniqueness

Uniqueness Score: -1.00%

Function 07DCC058, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78f9d88a02336d72d7f3d195e609744a9366d8d06119e7a76e5a536689d315f
Instruction ID: f991e4dcc87a2ba5814d78dcc22b5c3f77377f2c14b24daaf2c63c4bd194e177
Opcode Fuzzy Hash: a78f9d88a02336d72d7f3d195e609744a9366d8d06119e7a76e5a536689d315f
Instruction Fuzzy Hash: 0B016D717102058FC714EF29D444D5AF7FAFF88214715856AE609CB331DB71EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 07DCC04B, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c06daa4a6b1d3cc8a4fb6233275189dc397468856d26478de432e2ada572ae
Instruction ID: 2867cdd8e6bd235760988720d2894fe2a3359ee15af404e83b1ab9e408f493cf
Opcode Fuzzy Hash: 76c06daa4a6b1d3cc8a4fb6233275189dc397468856d26478de432e2ada572ae
Instruction Fuzzy Hash: 0311C0753042058FC700DF29C844A5AFBF6FF8822431A86AAE609CB372D731EC05CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07DCEE50, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8237299318b9baf796b2de1e5f3995df6387f7497f273ebe7955aa8c7a9b9687
Instruction ID: a33cf580d66da599bf9f5de0de21b73bc5029419565031d4fc13acb0b9bcf034
Opcode Fuzzy Hash: 8237299318b9baf796b2de1e5f3995df6387f7497f273ebe7955aa8c7a9b9687
Instruction Fuzzy Hash: B0113CB4E11209ABDB04CFA5D955ADDBBF6AF88320F148569E814B7390DB718D05CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07DCA583, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a46d8cf4857847c7f83c60d9d9d61a5bafc30933c56b641dcafd824bed7ca65
Instruction ID: 745d2c15155ec8d277540581496971260e475751426a35d1920269d6943ec0ab
Opcode Fuzzy Hash: 0a46d8cf4857847c7f83c60d9d9d61a5bafc30933c56b641dcafd824bed7ca65
Instruction Fuzzy Hash: AB01D4B07442058FC710DB78D998B15BBE5AF8A314F15C2AAE209CF7A3CA31CC84C791

Uniqueness

Uniqueness Score: -1.00%

Function 07DCDD18, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd4c1fffd5e1a86728825de4afc03b4a31b95e80b97982fc548b5f15034c40ec
Instruction ID: dc96d3ad30f48b7b89af0c72b39d7f3bbbd0e2afe7e67b35eca9e3797889929d
Opcode Fuzzy Hash: bd4c1fffd5e1a86728825de4afc03b4a31b95e80b97982fc548b5f15034c40ec
Instruction Fuzzy Hash: FDF0817270021AAF9B10DE59EC44DAFFBEEFB88271314812EF509D3200EB329805D790

Uniqueness

Uniqueness Score: -1.00%

Function 013FD731, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418598611.00000000013FD000.00000040.00000001.sdmp, Offset: 013FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e827a2d3ef5033aea2e677bb37b3ed3ae043a478999e1accfb420751662d2d0b
Instruction ID: 847b8c1315844392a4500e089ea4cdc80f7641c17c8b18b30d280705b4b4dd19
Opcode Fuzzy Hash: e827a2d3ef5033aea2e677bb37b3ed3ae043a478999e1accfb420751662d2d0b
Instruction Fuzzy Hash: CC01FC724083889AE7104E66CDC8766FB9CEF4427CF18851DEF095F243D3749448C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 07DC9DF8, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c929654570770b47b1f49a80f825638befaf2e93c0bc6b8703f128ac395d73
Instruction ID: 482b7074f570a4a8452dfc056bf3615008e586aed6498830a856a370ab8ceed4
Opcode Fuzzy Hash: 15c929654570770b47b1f49a80f825638befaf2e93c0bc6b8703f128ac395d73
Instruction Fuzzy Hash: 3501D63530830A4FC315E778D0916EE37E39FDA004305492AD20ADB652EF209C0AC3F6

Uniqueness

Uniqueness Score: -1.00%

Function 07DCEE60, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11893eb485cd98969cccc4004a945dd694502066c4e8a9138429abfdbf2d7833
Instruction ID: 9963b0eb88833a4238618ccf2dfdeff1cfd51905e67c7eac6c61cb1690451f78
Opcode Fuzzy Hash: 11893eb485cd98969cccc4004a945dd694502066c4e8a9138429abfdbf2d7833
Instruction Fuzzy Hash: 050117B4E14219ABDB14CFA5D954AEEBFF6AF8C310F148069E815B7250DB719A04CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 07DCB440, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fa7a10cc635798445bfc13cbe81c42a542bc469b2abd042adf1ed83245a01ff
Instruction ID: 3acc891f7a221f8939a01a1016f3929a685ab93d12b7c5fae92dfd8198be800e
Opcode Fuzzy Hash: 7fa7a10cc635798445bfc13cbe81c42a542bc469b2abd042adf1ed83245a01ff
Instruction Fuzzy Hash: 1C01D1F061C713CFCB28CE25D402623F3E6FB8420DB148C2ED5828B520DA71E485CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07DCC2FF, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730f5352de5b5078bb0d15d85f779e47b0ead2161ba343380b58ebae5b59297c
Instruction ID: 0e5d01c9ea5c6b92d2dcfa70256bb46fedb649829dd85f2f847c36a5483209c5
Opcode Fuzzy Hash: 730f5352de5b5078bb0d15d85f779e47b0ead2161ba343380b58ebae5b59297c
Instruction Fuzzy Hash: A9F0CD313413029FC721CBA8E845F99B7A1AF41728F09826AE248CF5E2C7B1E816D794

Uniqueness

Uniqueness Score: -1.00%

Function 013FD730, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.418598611.00000000013FD000.00000040.00000001.sdmp, Offset: 013FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5760eaa11e22cfd9620bebc439cd0af5e37f51f93849b6dccdd69d52c96e24c8
Instruction ID: 8f81d95b71e65b0b791ff6dba53749bbe715c5754ce8a827545789f5c96a1869
Opcode Fuzzy Hash: 5760eaa11e22cfd9620bebc439cd0af5e37f51f93849b6dccdd69d52c96e24c8
Instruction Fuzzy Hash: 46F0C8724042849FE7108E1ADDC8762FF98EF41378F18C55AEE045F243D3755844CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 07DC9E08, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842161a25d8d77a0f95b0c9a8ed25c732c7ebf93d738b2c28d700b6c44e0eba4
Instruction ID: 875d27f5f7abf94877803b71a2231507eb145fd0aedd6eedda378724bd1a2652
Opcode Fuzzy Hash: 842161a25d8d77a0f95b0c9a8ed25c732c7ebf93d738b2c28d700b6c44e0eba4
Instruction Fuzzy Hash: 16F0903130420A5B8224E72CD490AAE73D7EBDA1483054D29D60ACB711EF30AC0AC7EA

Uniqueness

Uniqueness Score: -1.00%

Function 07DC4D80, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc43ba3a8ff73da3dfb3a34a0b43ac6128ae70b05437075922f0ee07724fe4eb
Instruction ID: e71b3aa4f9398802cdbe81197f7f4dde79d01924422df5d427989370acd039bd
Opcode Fuzzy Hash: fc43ba3a8ff73da3dfb3a34a0b43ac6128ae70b05437075922f0ee07724fe4eb
Instruction Fuzzy Hash: 27F0B82244E3C80FC703EB34AC160C97FB28A0722870901DBC080DF023C608588D83B7

Uniqueness

Uniqueness Score: -1.00%

Function 07DEE338, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432135918.0000000007DE0000.00000040.00000001.sdmp, Offset: 07DE0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c1acdd0aeda10f11f18d4a6216310e9217f1c860dfd960493050c248ea4b9e
Instruction ID: 667e036dd655f3adae1dd42e3b94e2a0035de4c8472a64cb93191d1fe9431077
Opcode Fuzzy Hash: e8c1acdd0aeda10f11f18d4a6216310e9217f1c860dfd960493050c248ea4b9e
Instruction Fuzzy Hash: C5E09BB5608BB64DE733657960043A6FBD95B82925F0C8A99D4C981681D555D50887C0

Uniqueness

Uniqueness Score: -1.00%

Function 07DCDD17, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 578b8e77c45b859baf311e1538121c8a565ee0b37cd7f8fd54d060e8086f73b3
Instruction ID: 53f50ee6c81ad0938aa2f298b60fddcd5e9ac6459994b91a1d06d05e1b587ee9
Opcode Fuzzy Hash: 578b8e77c45b859baf311e1538121c8a565ee0b37cd7f8fd54d060e8086f73b3
Instruction Fuzzy Hash: 24E012B2B0021B9F5B14CA69AC45ABFB7EEFB84265308442EE118D3204EB71C805D750

Uniqueness

Uniqueness Score: -1.00%

Function 07DC3290, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fc807b14881e117fa00aec96cdd5835d526d228971ca2cc7d4916e3dbcf6be
Instruction ID: c97c24b300113b317a416b4253a67a7402a1df2a63681779eb8f8d4f20f1875f
Opcode Fuzzy Hash: 09fc807b14881e117fa00aec96cdd5835d526d228971ca2cc7d4916e3dbcf6be
Instruction Fuzzy Hash: 33F03934D083489FCB45DFB9D44518CBFB1EF4A218B0084EAD888D7341EB341A18CF82

Uniqueness

Uniqueness Score: -1.00%

Function 07DC32A0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdaf112caeffb56230fa0b985075819a781902a91887efce290ccbceaf712f2f
Instruction ID: 05b52e7514d92f6deed7efe68bb86812127f0a88afba51585d25ecea27698cb6
Opcode Fuzzy Hash: bdaf112caeffb56230fa0b985075819a781902a91887efce290ccbceaf712f2f
Instruction Fuzzy Hash: 9CE0B674E0430CAFCB44EFB9E44549DBBF5AB88208F0085E9D809E7340EB346A09CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07DC417F, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 342fc4cafd22a10780e90412c6abc0100a945bb4d5d90c84f7675d2cf6e2dfe4
Instruction ID: 7828a8a1e6929185207372fe9f410e14107afc8a905b7e60bde67e10b526bbd7
Opcode Fuzzy Hash: 342fc4cafd22a10780e90412c6abc0100a945bb4d5d90c84f7675d2cf6e2dfe4
Instruction Fuzzy Hash: CBD0A73104A34D4FC351BF65F8901D07B346D0122C3040793C14C4D413CB56595A8799

Uniqueness

Uniqueness Score: -1.00%

Function 07DCBD08, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d76b1b9ef0c852113c6d04f099b1a5dd17330f944ba475d198e8b4233dcb998
Instruction ID: 336d02bcdc1486b85d5151947e8d8ec7286382881f57c56e61bb4ee23ceb9be1
Opcode Fuzzy Hash: 3d76b1b9ef0c852113c6d04f099b1a5dd17330f944ba475d198e8b4233dcb998
Instruction Fuzzy Hash: B6D05E7020471B578A24A62AE4408A6B3D9DF885683098929D50EC7520DF60FC458798

Uniqueness

Uniqueness Score: -1.00%

Function 07DC4159, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98394425374e284590ab2c77e07217bfe0e385ba0a34af8e3bf707368cd73fa0
Instruction ID: 17c3f914e4b263a083c12eb307e337cd1ac940b95fdc4cbb27d9c85a4d8e29e5
Opcode Fuzzy Hash: 98394425374e284590ab2c77e07217bfe0e385ba0a34af8e3bf707368cd73fa0
Instruction Fuzzy Hash: C1D022321092A04BCB01EB14E0A07D2B730DF0B3A5B500086C0888F042C6258C1E83E2

Uniqueness

Uniqueness Score: -1.00%

Function 07DC9663, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 379e072fda0593b1d8a764548808ebdf8f31b9ab750fedf5aaa7ff8261803a59
Instruction ID: b7d04899e4378b9ff5f7f3e6e8b80d996f6bb09e9b3330f0543d3c536cb4d096
Opcode Fuzzy Hash: 379e072fda0593b1d8a764548808ebdf8f31b9ab750fedf5aaa7ff8261803a59
Instruction Fuzzy Hash: 6EC08C3700D7D02FCB03977068066CABF70ABC3320F0541C7E1818A4E3C1268946D7B6

Uniqueness

Uniqueness Score: -1.00%

Function 07DC52E0, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00b67945aa17b0f3e58234b58ef4f1523b406068e9b0a844b754ac75e8615cd8
Instruction ID: bcb09f11479ad2a0af2bfb1ab056b3042444ebff1d947ce1cf45210b9b56f9ee
Opcode Fuzzy Hash: 00b67945aa17b0f3e58234b58ef4f1523b406068e9b0a844b754ac75e8615cd8
Instruction Fuzzy Hash: 42C08CF83002006FE3048B60D848A2BBEA6EBE8305F02C098E10586264CE708841CA64

Uniqueness

Uniqueness Score: -1.00%

Function 07DC4DB8, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1417b650f76d327964bfb172576bb1af7bf116ccebf2117dd4c05f079f10ab70
Instruction ID: 2d5d890aa9710a5defcb5b49da2da936ab7a3c771dff1af44cb36ee45ffe9c78
Opcode Fuzzy Hash: 1417b650f76d327964bfb172576bb1af7bf116ccebf2117dd4c05f079f10ab70
Instruction Fuzzy Hash: 94B0123004530E4BCA507F61F80986C731E698411D7405751E10C8D436DF64745D86EC

Uniqueness

Uniqueness Score: -1.00%

Function 07DC4190, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53321eeb1b828a458eb9b14f0ee7647405acbb98823acfed032a270da016ab2f
Instruction ID: 251df2c237dcff19672c29ea68f5da62d384083c5ce4b282ac5f74e1e21111e2
Opcode Fuzzy Hash: 53321eeb1b828a458eb9b14f0ee7647405acbb98823acfed032a270da016ab2f
Instruction Fuzzy Hash: 51B0123104430E4BC950BF60F809554335D658020D3444F11D10C4912A9BEA385A868D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07DE3CE9, Relevance: 5.2, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

t%yl, xrefs: 07DE3F3D
(}l, xrefs: 07DE3DD5
(}l, xrefs: 07DE3E08
t%yl, xrefs: 07DE3F47

Memory Dump Source

Source File: 00000005.00000002.432135918.0000000007DE0000.00000040.00000001.sdmp, Offset: 07DE0000, based on PE: false

Similarity

API ID:
String ID: (}l$(}l$t%yl$t%yl
API String ID: 0-2277834149
Opcode ID: 69e46596c68b3d7fa5974772f432dbd5f855828d05fe24907b497a25e11421c9
Instruction ID: 45c58ee8c238e2c705c26e8b73959a667a4604a313ee16f553de20b94c6f22c2
Opcode Fuzzy Hash: 69e46596c68b3d7fa5974772f432dbd5f855828d05fe24907b497a25e11421c9
Instruction Fuzzy Hash: 75A15CB4A002458FDB15DF29C584A69F7FAEF89714F1681A9E5099F372CB31EC80CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07DCDD90, Relevance: 5.1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

Strings

K}l, xrefs: 07DCDE15
K}l, xrefs: 07DCDDDE
K}l, xrefs: 07DCDE21
K}l, xrefs: 07DCDDD2

Memory Dump Source

Source File: 00000005.00000002.432050388.0000000007DC0000.00000040.00000001.sdmp, Offset: 07DC0000, based on PE: false

Similarity

API ID:
String ID: K}l$K}l$K}l$K}l
API String ID: 0-3145599226
Opcode ID: d61d9195b15d2b4c190898834850769599c5effc88738d6f7c8133ae956dcf4b
Instruction ID: b93428145e20ca4201451e9b68ee5e08d9e84c1d281b742fc67098745129cc8b
Opcode Fuzzy Hash: d61d9195b15d2b4c190898834850769599c5effc88738d6f7c8133ae956dcf4b
Instruction Fuzzy Hash: F421C6753042120F9758DB7AE86062EF2CBAFC9694705407DD60ECF750EF21EC0587A4

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallUtil.exe PID: 5808 Parent PID: 4900 InstallUtil.exeCOMMON

Executed Functions

Function 052937CC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052954A2

Memory Dump Source

Source File: 00000017.00000002.508360861.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 724e71e64d67dbf151eee3728dff7998912b7c9346e8d3294833d7f91f9cecdf
Instruction ID: a5522da5bf94f41b91aed26821ef05966ed59704bedf02bebef7d79df3075902
Opcode Fuzzy Hash: 724e71e64d67dbf151eee3728dff7998912b7c9346e8d3294833d7f91f9cecdf
Instruction Fuzzy Hash: ED51C1B1E143099FDF15CF99C884ADEBBB5BF48314F25812AE819AB310D7749845CF94

Uniqueness

Uniqueness Score: -1.00%

Function 05295386, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 052954A2

Memory Dump Source

Source File: 00000017.00000002.508360861.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4b4e0dcf806ef303764a028b2505b7d82ab6a53f00f205d09c6dbaa22935c8d9
Instruction ID: f83e4a1bcf7bda85a08a80110a4796723bf1b88b3545feca99e0822df12b7f3d
Opcode Fuzzy Hash: 4b4e0dcf806ef303764a028b2505b7d82ab6a53f00f205d09c6dbaa22935c8d9
Instruction Fuzzy Hash: F751C0B1D143099FDF15CFA9C884ADEBBB5BF48314F25812AE819AB310D774A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 05296BB4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05297DF9

Memory Dump Source

Source File: 00000017.00000002.508360861.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e03d4357bc4ad9ff51e528cfafb5c0d9480cea50271c73ca63390510fb4ea8fd
Instruction ID: 7f8d88f1ae21f6f61840bf4bbdd9778f5c4df12d1243ed632c238c09b6e00796
Opcode Fuzzy Hash: e03d4357bc4ad9ff51e528cfafb5c0d9480cea50271c73ca63390510fb4ea8fd
Instruction Fuzzy Hash: 18414BB4A20349CFCB18CF99C488BAABBF5FF89314F198459D519A7321C774A841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 05296E68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05296EEF

Memory Dump Source

Source File: 00000017.00000002.508360861.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 694a4512782346b5a718ea33027f36dbb6660b037f1b372d41bd38471169b3c9
Instruction ID: f7e1f9ff1188f20d04bce058320be635a2f8264a9d57b0495d19d09aeb139ad2
Opcode Fuzzy Hash: 694a4512782346b5a718ea33027f36dbb6660b037f1b372d41bd38471169b3c9
Instruction Fuzzy Hash: 3E21E3B5D00208AFDB10CFAAD884ADEBBF4EF48324F15841AE919A3310D374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05296E61, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05296EEF

Memory Dump Source

Source File: 00000017.00000002.508360861.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fdc63a10060a2173cef2149b2b004d300d774914058dc0b1bd6fc68ba7cdafa2
Instruction ID: bfc1b9895827a30eaf83f3cf55795ca0904866f790f8d3c8691b6c89c6b1c8f0
Opcode Fuzzy Hash: fdc63a10060a2173cef2149b2b004d300d774914058dc0b1bd6fc68ba7cdafa2
Instruction Fuzzy Hash: 2A21D2B5D002489FDB10CFA9D584BDEBBF4AF48324F15841AE959B3310D374A944CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0529C8F9, Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0529C982

Memory Dump Source

Source File: 00000017.00000002.508360861.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: bb04698c2ca1b562785e1aae239980e837811689391e11a89461c9b39eb92746
Instruction ID: ee6d6a79c63857b9fbaf374587ef418720a21e765f4d27c70fe5976653cefa63
Opcode Fuzzy Hash: bb04698c2ca1b562785e1aae239980e837811689391e11a89461c9b39eb92746
Instruction Fuzzy Hash: 3A2167B291834A8FDB10DFA9C9497AABBF4FF08314F14846AD409B7741C738A904CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0529C908, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0529C982

Memory Dump Source

Source File: 00000017.00000002.508360861.0000000005290000.00000040.00000001.sdmp, Offset: 05290000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: bbd660e17ae5e8ca103e9d6377e0574d4a4dda1a74da5cd7d7baf5cd191ae980
Instruction ID: 4e1071ec7858cf414dd97e26f51a47de6efdde58a36ae3172a96adec1fe0baa6
Opcode Fuzzy Hash: bbd660e17ae5e8ca103e9d6377e0574d4a4dda1a74da5cd7d7baf5cd191ae980
Instruction Fuzzy Hash: 891159B191434A8FDB10DFAAC5487AABBF4FF48314F108469D409B7741C779A904CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 012ED274, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.503980047.00000000012ED000.00000040.00000001.sdmp, Offset: 012ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7982b02b7275bffe07e512dee1ca686bde3141a9801cc26fd132e0ca260147
Instruction ID: e55afb6a43c0135409c5f642b1df08e56f9a408dba611f1e3344e1b345519d6b
Opcode Fuzzy Hash: fb7982b02b7275bffe07e512dee1ca686bde3141a9801cc26fd132e0ca260147
Instruction Fuzzy Hash: 44216A71514208DFDF01CF94D9C8B2ABBA5FB88324F64C569E9084B247C336D816CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012ED53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.503980047.00000000012ED000.00000040.00000001.sdmp, Offset: 012ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31839038935a96570dd1f5a771e98217f3195451c3ee9b37d3387c433ae5fde5
Instruction ID: b048af8ebc179414efce9ecc1749c9f7d609915ce1ad88e58ad9d6c58441b5da
Opcode Fuzzy Hash: 31839038935a96570dd1f5a771e98217f3195451c3ee9b37d3387c433ae5fde5
Instruction Fuzzy Hash: 2F2167B1514208DFDB01DF54E9C8B26BFA5FB88328F248569E9094F207C336D846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012FD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.504107527.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e9c18f1e2c0d9e82c51026b6fc06ea72adc579a547d264157d412c24b2e11c
Instruction ID: 6dfc71e5dc4b311fb88190c88d6e139c84aafee854403d7465420b335e9b91e0
Opcode Fuzzy Hash: 43e9c18f1e2c0d9e82c51026b6fc06ea72adc579a547d264157d412c24b2e11c
Instruction Fuzzy Hash: 4C214570518208DFDB11CF54D8C0B26FB61FB88354F20C97DDA094B242C336D806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 012FD006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.504107527.00000000012FD000.00000040.00000001.sdmp, Offset: 012FD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b97c8cfd710c1a0ea663717670e9996a613f6c37a6edb515ed310c69c9ff5a
Instruction ID: d6744edc1302d4f557834b44cc71cc29643d01219805358e75197fe734feba5b
Opcode Fuzzy Hash: d6b97c8cfd710c1a0ea663717670e9996a613f6c37a6edb515ed310c69c9ff5a
Instruction Fuzzy Hash: 5F21AC754083848FCB02CF24D990B11BF71EB46314F28C5EEC9498B267C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012ED26F, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.503980047.00000000012ED000.00000040.00000001.sdmp, Offset: 012ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ed8c3efe35f3d805c20c8b0ea85006a67faed3fe297efa6952166ae74c052e
Instruction ID: a92ef2478f39a9d24d352d666c689a6f93bfcedb25fa2f239345a10a2880a213
Opcode Fuzzy Hash: 69ed8c3efe35f3d805c20c8b0ea85006a67faed3fe297efa6952166ae74c052e
Instruction Fuzzy Hash: 5921E176404284CFCB02CF44D9C4B1ABFB2FB88310F28C6A9D9480B616C33AD456CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012ED537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.503980047.00000000012ED000.00000040.00000001.sdmp, Offset: 012ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction ID: 9bac29f5771cc49f90bdea1d6cb69fd96b7c0aafbd46df3fe0f4af18466172aa
Opcode Fuzzy Hash: b7cc86b5ff79ce043c803af90b915b5d7a1ca48b01667a36e239ea52a940d4d9
Instruction Fuzzy Hash: BB11D376404284CFDB12CF54E9C4B16BFB2FB84324F24C6A9D9094B617C336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: InstallUtil.exe PID: 5416 Parent PID: 6012 InstallUtil.exeCOMMON

Executed Functions

Function 013AB6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 013AB730
GetCurrentThread.KERNEL32 ref: 013AB76D
GetCurrentProcess.KERNEL32 ref: 013AB7AA
GetCurrentThreadId.KERNEL32 ref: 013AB803

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bb70270b016a2a4a12e444e8be36313f492a2bb3e824deb3337be2ee76b0cd62
Instruction ID: ff70ef986d35867d5cf5fd9b2d319e5891caafd079a8467048c13b671c152b9b
Opcode Fuzzy Hash: bb70270b016a2a4a12e444e8be36313f492a2bb3e824deb3337be2ee76b0cd62
Instruction Fuzzy Hash: EA5142B4D002488FDB14CFAAD988BDEBBF1EF48318F248459E049A7350C7759888CF65

Uniqueness

Uniqueness Score: -1.00%

Function 013AB6CF, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 013AB730
GetCurrentThread.KERNEL32 ref: 013AB76D
GetCurrentProcess.KERNEL32 ref: 013AB7AA
GetCurrentThreadId.KERNEL32 ref: 013AB803

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 857399ba9fa63e174802eb207fbcc1796c935f119970c8577656c803066c2195
Instruction ID: b8d11d8d6db33c0d2c36ef830b982c61b726bda2caea422b11ee8fab37254031
Opcode Fuzzy Hash: 857399ba9fa63e174802eb207fbcc1796c935f119970c8577656c803066c2195
Instruction Fuzzy Hash: A05142B4D002488FDB14CFAAD588BEEBFF1EF88318F248559E049A7250C7755888CF65

Uniqueness

Uniqueness Score: -1.00%

Function 013AFAA0, Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013AFD0A

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b3b7dc8d687a40d505fe6d672d2c9c760a423fa10f29574ce4cf61fd05862646
Instruction ID: 23009040983a93eeb6188b4c09e98482d801044df6e570abe58c3544a8c5d1bd
Opcode Fuzzy Hash: b3b7dc8d687a40d505fe6d672d2c9c760a423fa10f29574ce4cf61fd05862646
Instruction Fuzzy Hash: 60917071C093899FCB02CFA4C8A19DDBFF1EF0A304F19849AE485AB262C7359846DF51

Uniqueness

Uniqueness Score: -1.00%

Function 013A93E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013A962E

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 90a7704100a608d8ff44e1a3f2f38c3e037f9d8502b509d45ab030f8c01c0ce2
Instruction ID: 17a59403b73186122230951d8ae914634ef25fb7759bec9fb539a4d457156ef7
Opcode Fuzzy Hash: 90a7704100a608d8ff44e1a3f2f38c3e037f9d8502b509d45ab030f8c01c0ce2
Instruction Fuzzy Hash: 51712670A00B058FD724DF2AD4457AABBF1FF88218F508A2DD58AE7A50D735E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 013AFBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013AFD0A

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a2662e738e00bfd8483208bd14470534705f9984fde8ef6fb38156ab18f9b9f9
Instruction ID: cf9cbaa321ec67b99e7ddfd695d50b2c716329b847c4cfc342fba2c67b0c30d4
Opcode Fuzzy Hash: a2662e738e00bfd8483208bd14470534705f9984fde8ef6fb38156ab18f9b9f9
Instruction Fuzzy Hash: 9D41CFB1D103099FDB14CF9AC884ADEBBB5FF48314F64852AE819AB210D774A985CF94

Uniqueness

Uniqueness Score: -1.00%

Function 013AFE02, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 013AFE9D

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 53df3c20596d48f7b754246efb80718154796143a688c03bdda162227e535605
Instruction ID: f440a773ad905b1cdd49fb0184c78e4bcdb949a0148ebcaac825a447cc639a5e
Opcode Fuzzy Hash: 53df3c20596d48f7b754246efb80718154796143a688c03bdda162227e535605
Instruction Fuzzy Hash: E62189B5804249DFCB01DFA8D945BDEBFF4EF49318F14888AD984AB212C334A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 013ABD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013ABD87

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 72ece2c7bd10e9309e8d9825672105506f8e2e291021673cf2926f05d53388f1
Instruction ID: e773a49320d88450842686928dda5a976619f6f3d350bba83095198c735073e9
Opcode Fuzzy Hash: 72ece2c7bd10e9309e8d9825672105506f8e2e291021673cf2926f05d53388f1
Instruction Fuzzy Hash: A521C4B5900208AFDB10CFAAD884ADEFFF4FB48324F14841AE959A7310D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013ABCFF, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013ABD87

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ccf8613aaf1ce79e0693d0c9b26671499824741d9c521b320f87df954537f721
Instruction ID: b977113e94d3bda39a9cde33a2b9d5f60e61efb9e5f5ea2bca77e1196bf0bed6
Opcode Fuzzy Hash: ccf8613aaf1ce79e0693d0c9b26671499824741d9c521b320f87df954537f721
Instruction Fuzzy Hash: BA21B3B5900248AFDB10CFA9D484AEEFFF5EB48324F14841AE959A7310C374A955CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013A8768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013A96A9,00000800,00000000,00000000), ref: 013A98BA

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 24fdbc2c26fed65db7aba9e3b4fcc7b28b50c59702e6747f7ffde2e54a441439
Instruction ID: 7d42972b1e747e9e1036965c3200b799d02b20a1222d1a41aff277386c9b56da
Opcode Fuzzy Hash: 24fdbc2c26fed65db7aba9e3b4fcc7b28b50c59702e6747f7ffde2e54a441439
Instruction Fuzzy Hash: 1A11F2B69002099BDB10CF9AC444BDEFBF8EB48328F14842AD519B7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013A984F, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013A96A9,00000800,00000000,00000000), ref: 013A98BA

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d9ec8dd660e64d2ace358fd8dd1e3d7e27f5f152b22f1d5b967aa646713d4a9a
Instruction ID: 7acb947b63904b7bc4ab1c333efad2f89b1433261983ccb9fa80c64b97366171
Opcode Fuzzy Hash: d9ec8dd660e64d2ace358fd8dd1e3d7e27f5f152b22f1d5b967aa646713d4a9a
Instruction Fuzzy Hash: 321112B6C002099FDB10CFAAD484BDEFBF4EB88328F14842AD559B7200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013A95C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 013A962E

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a236858d26012e4384a1425b9bd76dc4d359ef4e358c9f4a0d0538e18ad7c0e3
Instruction ID: cb230b8075b4f4ed43e6020193eeec1fbfb322850579d7fe54dbae849fe62071
Opcode Fuzzy Hash: a236858d26012e4384a1425b9bd76dc4d359ef4e358c9f4a0d0538e18ad7c0e3
Instruction Fuzzy Hash: 9E11E0B5C002498FDB10CF9AD444BDEFBF4EF88228F14842AD959B7610C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 013AFE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 013AFE9D

Memory Dump Source

Source File: 00000018.00000002.422512880.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b251045ee4fb51e1cb8e51c8efbae6e0da05d0482a58a8fc5dafa775d7bbc874
Instruction ID: 10bf3cccb41f1d5db1940f54062e35ae4f7bf62efb2f92fc8cfb129e75f6dc90
Opcode Fuzzy Hash: b251045ee4fb51e1cb8e51c8efbae6e0da05d0482a58a8fc5dafa775d7bbc874
Instruction Fuzzy Hash: 7F11E2B58002499FDB10DF9AD985BDEFBF8EB48324F24841AD959A7340C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Inv-04_PDF.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection:

E-Banking Fraud:

System Summary:

Stealing of Sensitive Information:

Remote Access Functionality:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exe PID: 2540 Parent PID: 3472

General

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre