Loading ...

Play interactive tourEdit tour

Windows Analysis Report Inv-04_PDF.vbs

Overview

General Information

Sample Name:Inv-04_PDF.vbs
Analysis ID:452070
MD5:b6a05c3a37dde3db4a8005dfaeda9e97
SHA1:c0b64b85e13865a76136ce2d5674ebca53246566
SHA256:1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2540 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • file1.exe (PID: 4900 cmdline: 'C:\Users\user\AppData\Local\Temp\file1.exe' MD5: 672E9FDC80F39F27F98A048B9F51AEA0)
      • InstallUtil.exe (PID: 5808 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • file2.exe (PID: 6012 cmdline: 'C:\Users\user\AppData\Local\Temp\file2.exe' MD5: B564A2BAE72F01F3E3FB726184FED4C9)
      • InstallUtil.exe (PID: 4072 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • InstallUtil.exe (PID: 5416 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • dhcpmon.exe (PID: 2872 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Inv-04_PDF.vbsSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
  • 0x6f914:$: VFZxUUFBT
  • 0x18da09:$: UVnFRQUFN

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x42f15:$a: NanoCore
        • 0x42f6e:$a: NanoCore
        • 0x42fab:$a: NanoCore
        • 0x43024:$a: NanoCore
        • 0x566cf:$a: NanoCore
        • 0x566e4:$a: NanoCore
        • 0x56719:$a: NanoCore
        • 0x6f193:$a: NanoCore
        • 0x6f1a8:$a: NanoCore
        • 0x6f1dd:$a: NanoCore
        • 0x42f77:$b: ClientPlugin
        • 0x42fb4:$b: ClientPlugin
        • 0x438b2:$b: ClientPlugin
        • 0x438bf:$b: ClientPlugin
        • 0x5648b:$b: ClientPlugin
        • 0x564a6:$b: ClientPlugin
        • 0x564d6:$b: ClientPlugin
        • 0x566ed:$b: ClientPlugin
        • 0x56722:$b: ClientPlugin
        • 0x6ef4f:$b: ClientPlugin
        • 0x6ef6a:$b: ClientPlugin
        00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x58b75:$x1: NanoCore.ClientPluginHost
        • 0x58bb2:$x2: IClientNetworkHost
        • 0x5c6e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 36 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.file1.exe.3ca7650.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          4.2.file1.exe.3ca7650.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            5.2.file2.exe.4114b60.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe38d:$x1: NanoCore.ClientPluginHost
            • 0xe3ca:$x2: IClientNetworkHost
            • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            5.2.file2.exe.4114b60.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xe105:$x1: NanoCore Client.exe
            • 0xe38d:$x2: NanoCore.ClientPluginHost
            • 0xf9c6:$s1: PluginCommand
            • 0xf9ba:$s2: FileCommand
            • 0x1086b:$s3: PipeExists
            • 0x16622:$s4: PipeCreated
            • 0xe3b7:$s5: IClientLoggingHost
            5.2.file2.exe.4114b60.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              Click to see the 62 entries

              Sigma Overview

              AV Detection:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              E-Banking Fraud:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              System Summary:

              barindex
              Sigma detected: Possible Applocker BypassShow sources
              Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\file2.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\file2.exe, ParentProcessId: 6012, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 4072

              Stealing of Sensitive Information:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Remote Access Functionality:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\file1.exeMetadefender: Detection: 25%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\file1.exeReversingLabs: Detection: 51%
              Source: C:\Users\user\AppData\Local\Temp\file2.exeMetadefender: Detection: 34%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\file2.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exeMetadefender: Detection: 34%Perma Link
              Source: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exeReversingLabs: Detection: 57%
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file2.exe PID: 6012, type: MEMORY
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\file1.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\file2.exeJoe Sandbox ML: detected
              Source: 24.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 23.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000016.00000000.413304012.0000000000362000.00000002.00020000.sdmp, InstallUtil.exe, 00000017.00000000.413907585.0000000000B32000.00000002.00020000.sdmp, InstallUtil.exe, 00000018.00000000.414470588.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://gKSfZA.com
              Source: file1.exe, 00000004.00000003.252695976.0000000005AE7000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: file1.exe, 00000004.00000003.254663518.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig(
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: file1.exe, 00000004.00000003.255713488.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: file1.exe, 00000004.00000003.262045265.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
              Source: file1.exe, 00000004.00000003.257384126.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
              Source: file1.exe, 00000004.00000003.255745631.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: file1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
              Source: file1.exe, 00000004.00000003.255783808.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
              Source: file1.exe, 00000004.00000003.255996734.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
              Source: file1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersw
              Source: file1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
              Source: file1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: file1.exe, 00000004.00000003.250853437.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
              Source: file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmp, file1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: file1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
              Source: file1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni
              Source: file1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-p
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: file1.exe, 00000004.00000003.260733212.0000000005AE4000.00000004.00000001.sdmp, file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
              Source: file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A
              Source: file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
              Source: file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fr-c
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com.
              Source: file1.exe, 00000004.00000003.252450344.0000000005AE9000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: file1.exe, 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, InstallUtil.exe, 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: InstallUtil.exe, 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

              E-Banking Fraud:

              barindex
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file2.exe PID: 6012, type: MEMORY

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 24.2.InstallUtil.exe.2d396cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: file2.exe PID: 6012, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: file2.exe PID: 6012, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              .NET source code contains very large array initializationsShow sources
              Source: 23.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCC1C2456u002d206Cu002d47B2u002dB640u002d7A9D0A18E16Bu007d/B899F0BCu002d2DBBu002d4D46u002dA39Eu002dC38AFE9A69B6.csLarge array initialization: .cctor: array initializer size 12097
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_00BDC1144_2_00BDC114
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_00BDE5584_2_00BDE558
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_00BDE5484_2_00BDE548
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_02DEC25C5_2_02DEC25C
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_02DEE1D05_2_02DEE1D0
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_02DEE1C05_2_02DEE1C0
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DC9E905_2_07DC9E90
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DCC7A05_2_07DCC7A0
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DCCF2B5_2_07DCCF2B
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DEF4B05_2_07DEF4B0
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DEA5FF5_2_07DEA5FF
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DECD585_2_07DECD58
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DE3CF85_2_07DE3CF8
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DE84A15_2_07DE84A1
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DE9AD95_2_07DE9AD9
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 22_2_003620B022_2_003620B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_00B320B023_2_00B320B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_012FDAE823_2_012FDAE8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_0529404223_2_05294042
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_052949A023_2_052949A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_052948AF23_2_052948AF
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_009920B024_2_009920B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_013AE47124_2_013AE471
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_013AE48024_2_013AE480
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_013ABBD424_2_013ABBD4
              Source: Inv-04_PDF.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
              Source: Inv-04_PDF.vbs, type: SAMPLEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.3.wscript.exe.15609a23410.3.unpack, type: UNPACKEDPEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 24.2.InstallUtil.exe.2d396cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.2d396cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.3.wscript.exe.15609a23410.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.3.wscript.exe.15609a23410.2.unpack, type: UNPACKEDPEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000003.239940723.0000015609951000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000003.237652403.0000015608C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000003.238803642.0000015608A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000003.239481925.0000015609951000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 00000000.00000003.248521779.0000015609010000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: Process Memory Space: file2.exe PID: 6012, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: file2.exe PID: 6012, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: wscript.exe PID: 2540, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: file1.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: file2.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: Explorer64int.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: Explorer64int.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 23.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 23.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.evad.winVBS@13/11@0/0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\file1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file1.exe.logJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{de7e01ad-963b-4e14-81aa-08dfb351f0fe}
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_01
              Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\file1.exeJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs'
              Source: C:\Users\user\AppData\Local\Temp\file1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\file2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs'
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file2.exe 'C:\Users\user\AppData\Local\Temp\file2.exe'
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe' Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file2.exe 'C:\Users\user\AppData\Local\Temp\file2.exe' Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Local\Temp\file1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: Inv-04_PDF.vbsStatic file information: File size 2437367 > 1048576
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000016.00000000.413304012.0000000000362000.00000002.00020000.sdmp, InstallUtil.exe, 00000017.00000000.413907585.0000000000B32000.00000002.00020000.sdmp, InstallUtil.exe, 00000018.00000000.414470588.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr

              Data Obfuscation:

              barindex
              VBScript performs obfuscated calls to suspicious functionsShow sources
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\file1.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJFZrr0AAAAAAAAAAOAADgELATAAAOIMAABAAAAAAAAA3gE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\file1.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAH4SMoAAAAAAAAAAOAADgELATAAAHANAABAAAAAAAAADo8");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\file2.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\file1.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\file2.exe")
              .NET source code contains potential unpackerShow sources
              Source: file1.exe.0.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs.Net Code: SetException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: file1.exe.0.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs.Net Code: RestartException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: file2.exe.0.dr, Hblvlabxuo.Objects/Initializer.cs.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: file2.exe.0.dr, Hblvlabxuo.Objects/Initializer.cs.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: Explorer64int.exe.4.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs.Net Code: SetException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: Explorer64int.exe.4.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs.Net Code: RestartException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: Explorer64int.exe.5.dr, Hblvlabxuo.Objects/Initializer.cs.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: Explorer64int.exe.5.dr, Hblvlabxuo.Objects/Initializer.cs.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 5.0.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 5.0.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 5.2.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 5.2.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: file1.exe.0.drStatic PE information: 0xBDAE5991 [Tue Nov 4 09:46:57 2070 UTC]
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003F311C push esi; retf 4_2_003F311F
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003F2C0E push esi; retf 4_2_003F2C11
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003F2A04 push esi; retf 4_2_003F2A75
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003F30BC push esi; retf 4_2_003F30BF
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003FF8E2 push edi; retf 4_2_003FF8E4
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_00A300D6 push edi; retf 5_2_00A300D8
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_00A230D9 push edi; ret 5_2_00A230E0
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_00A22BFC push edi; ret 5_2_00A22CAC
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_013AC078 push ds; retf 24_2_013AC0AE
              Source: initial sampleStatic PE information: section name: .text entropy: 7.26492487859
              Source: initial sampleStatic PE information: section name: .text entropy: 7.23635224737
              Source: initial sampleStatic PE information: section name: .text entropy: 7.26492487859
              Source: initial sampleStatic PE information: section name: .text entropy: 7.23635224737
              Source: C:\Users\user\AppData\Local\Temp\file2.exeFile created: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exeJump to dropped file
              Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\file2.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
              Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\file1.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\file2.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file

              Boot Survival:

              barindex
              Creates an undocumented autostart registry key Show sources
              Source: C:\Users\user\AppData\Local\Temp\file2.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
              Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior