Loading ...

Play interactive tourEdit tour

Windows Analysis Report Inv-04_PDF.vbs

Overview

General Information

Sample Name:Inv-04_PDF.vbs
Analysis ID:452070
MD5:b6a05c3a37dde3db4a8005dfaeda9e97
SHA1:c0b64b85e13865a76136ce2d5674ebca53246566
SHA256:1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1
Tags:vbs
Infos:

Most interesting Screenshot:

Detection

Nanocore AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2540 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • file1.exe (PID: 4900 cmdline: 'C:\Users\user\AppData\Local\Temp\file1.exe' MD5: 672E9FDC80F39F27F98A048B9F51AEA0)
      • InstallUtil.exe (PID: 5808 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • file2.exe (PID: 6012 cmdline: 'C:\Users\user\AppData\Local\Temp\file2.exe' MD5: B564A2BAE72F01F3E3FB726184FED4C9)
      • InstallUtil.exe (PID: 4072 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • InstallUtil.exe (PID: 5416 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • dhcpmon.exe (PID: 2872 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: EFEC8C379D165E3F33B536739AEE26A3)
    • conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Inv-04_PDF.vbsSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
  • 0x6f914:$: VFZxUUFBT
  • 0x18da09:$: UVnFRQUFN

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0x42f15:$a: NanoCore
        • 0x42f6e:$a: NanoCore
        • 0x42fab:$a: NanoCore
        • 0x43024:$a: NanoCore
        • 0x566cf:$a: NanoCore
        • 0x566e4:$a: NanoCore
        • 0x56719:$a: NanoCore
        • 0x6f193:$a: NanoCore
        • 0x6f1a8:$a: NanoCore
        • 0x6f1dd:$a: NanoCore
        • 0x42f77:$b: ClientPlugin
        • 0x42fb4:$b: ClientPlugin
        • 0x438b2:$b: ClientPlugin
        • 0x438bf:$b: ClientPlugin
        • 0x5648b:$b: ClientPlugin
        • 0x564a6:$b: ClientPlugin
        • 0x564d6:$b: ClientPlugin
        • 0x566ed:$b: ClientPlugin
        • 0x56722:$b: ClientPlugin
        • 0x6ef4f:$b: ClientPlugin
        • 0x6ef6a:$b: ClientPlugin
        00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x58b75:$x1: NanoCore.ClientPluginHost
        • 0x58bb2:$x2: IClientNetworkHost
        • 0x5c6e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 36 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.file1.exe.3ca7650.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          4.2.file1.exe.3ca7650.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            5.2.file2.exe.4114b60.3.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
            • 0xe38d:$x1: NanoCore.ClientPluginHost
            • 0xe3ca:$x2: IClientNetworkHost
            • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
            5.2.file2.exe.4114b60.3.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
            • 0xe105:$x1: NanoCore Client.exe
            • 0xe38d:$x2: NanoCore.ClientPluginHost
            • 0xf9c6:$s1: PluginCommand
            • 0xf9ba:$s2: FileCommand
            • 0x1086b:$s3: PipeExists
            • 0x16622:$s4: PipeCreated
            • 0xe3b7:$s5: IClientLoggingHost
            5.2.file2.exe.4114b60.3.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
              Click to see the 62 entries

              Sigma Overview

              AV Detection:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              E-Banking Fraud:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              System Summary:

              barindex
              Sigma detected: Possible Applocker BypassShow sources
              Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\file2.exe' , ParentImage: C:\Users\user\AppData\Local\Temp\file2.exe, ParentProcessId: 6012, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 4072

              Stealing of Sensitive Information:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Remote Access Functionality:

              barindex
              Sigma detected: NanoCoreShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\file1.exeMetadefender: Detection: 25%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\file1.exeReversingLabs: Detection: 51%
              Source: C:\Users\user\AppData\Local\Temp\file2.exeMetadefender: Detection: 34%Perma Link
              Source: C:\Users\user\AppData\Local\Temp\file2.exeReversingLabs: Detection: 57%
              Source: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exeMetadefender: Detection: 34%Perma Link
              Source: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exeReversingLabs: Detection: 57%
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file2.exe PID: 6012, type: MEMORY
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\file1.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\file2.exeJoe Sandbox ML: detected
              Source: 24.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
              Source: 23.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000016.00000000.413304012.0000000000362000.00000002.00020000.sdmp, InstallUtil.exe, 00000017.00000000.413907585.0000000000B32000.00000002.00020000.sdmp, InstallUtil.exe, 00000018.00000000.414470588.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: http://gKSfZA.com
              Source: file1.exe, 00000004.00000003.252695976.0000000005AE7000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: file1.exe, 00000004.00000003.254663518.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtig(
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: file1.exe, 00000004.00000003.255713488.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: file1.exe, 00000004.00000003.262045265.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
              Source: file1.exe, 00000004.00000003.257384126.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
              Source: file1.exe, 00000004.00000003.255745631.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersF
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: file1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
              Source: file1.exe, 00000004.00000003.255783808.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
              Source: file1.exe, 00000004.00000003.255996734.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
              Source: file1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersw
              Source: file1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
              Source: file1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: file1.exe, 00000004.00000003.250853437.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
              Source: file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmp, file1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: file1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
              Source: file1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni
              Source: file1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-p
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: file1.exe, 00000004.00000003.260733212.0000000005AE4000.00000004.00000001.sdmp, file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
              Source: file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A
              Source: file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
              Source: file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
              Source: file1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fr-c
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com.
              Source: file1.exe, 00000004.00000003.252450344.0000000005AE9000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
              Source: file1.exe, 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, InstallUtil.exe, 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: InstallUtil.exe, 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

              E-Banking Fraud:

              barindex
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file2.exe PID: 6012, type: MEMORY

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 24.2.InstallUtil.exe.2d396cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              Source: Process Memory Space: file2.exe PID: 6012, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
              Source: Process Memory Space: file2.exe PID: 6012, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
              .NET source code contains very large array initializationsShow sources
              Source: 23.2.InstallUtil.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bCC1C2456u002d206Cu002d47B2u002dB640u002d7A9D0A18E16Bu007d/B899F0BCu002d2DBBu002d4D46u002dA39Eu002dC38AFE9A69B6.csLarge array initialization: .cctor: array initializer size 12097
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_00BDC114
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_00BDE558
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_00BDE548
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_02DEC25C
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_02DEE1D0
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_02DEE1C0
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DC9E90
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DCC7A0
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DCCF2B
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DEF4B0
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DEA5FF
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DECD58
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DE3CF8
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DE84A1
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_07DE9AD9
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 22_2_003620B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_00B320B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_012FDAE8
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_05294042
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_052949A0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 23_2_052948AF
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_009920B0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_013AE471
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_013AE480
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_013ABBD4
              Source: Inv-04_PDF.vbsInitial sample: Strings found which are bigger than 50
              Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dll
              Source: Inv-04_PDF.vbs, type: SAMPLEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.34379e8.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.34379e8.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.3.wscript.exe.15609a23410.3.unpack, type: UNPACKEDPEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 24.2.InstallUtil.exe.2d396cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.2d396cc.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.3.wscript.exe.15609a23410.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 0.3.wscript.exe.15609a23410.2.unpack, type: UNPACKEDPEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000003.239940723.0000015609951000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000003.237652403.0000015608C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000003.238803642.0000015608A41000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: 00000000.00000003.239481925.0000015609951000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: 00000000.00000003.248521779.0000015609010000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: Process Memory Space: file2.exe PID: 6012, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
              Source: Process Memory Space: file2.exe PID: 6012, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
              Source: Process Memory Space: wscript.exe PID: 2540, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
              Source: file1.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: file2.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: Explorer64int.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: Explorer64int.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 23.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 23.2.InstallUtil.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.evad.winVBS@13/11@0/0
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\file1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file1.exe.logJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{de7e01ad-963b-4e14-81aa-08dfb351f0fe}
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_01
              Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\file1.exeJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs'
              Source: C:\Users\user\AppData\Local\Temp\file1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\file2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs'
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file2.exe 'C:\Users\user\AppData\Local\Temp\file2.exe'
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file2.exe 'C:\Users\user\AppData\Local\Temp\file2.exe'
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\AppData\Local\Temp\file1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: Inv-04_PDF.vbsStatic file information: File size 2437367 > 1048576
              Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000016.00000000.413304012.0000000000362000.00000002.00020000.sdmp, InstallUtil.exe, 00000017.00000000.413907585.0000000000B32000.00000002.00020000.sdmp, InstallUtil.exe, 00000018.00000000.414470588.0000000000992000.00000002.00020000.sdmp, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr
              Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, dhcpmon.exe, 0000001C.00000002.444953015.00000000006B2000.00000002.00020000.sdmp, InstallUtil.exe.5.dr

              Data Obfuscation:

              barindex
              VBScript performs obfuscated calls to suspicious functionsShow sources
              Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("C:\Users\user\AppData\Local\Temp\file1.exe");IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJFZrr0AAAAAAAAAAOAADgELATAAAOIMAABAAAAAAAAA3gE");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\file1.exe", "2");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAH4SMoAAAAAAAAAAOAADgELATAAAHANAABAAAAAAAAADo8");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\file2.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\file1.exe");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\file2.exe")
              .NET source code contains potential unpackerShow sources
              Source: file1.exe.0.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs.Net Code: SetException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: file1.exe.0.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs.Net Code: RestartException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: file2.exe.0.dr, Hblvlabxuo.Objects/Initializer.cs.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: file2.exe.0.dr, Hblvlabxuo.Objects/Initializer.cs.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: Explorer64int.exe.4.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs.Net Code: SetException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: Explorer64int.exe.4.dr, Vzgxrm.Structs/ConnectionParameterStructBuilder.cs.Net Code: RestartException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: Explorer64int.exe.5.dr, Hblvlabxuo.Objects/Initializer.cs.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: Explorer64int.exe.5.dr, Hblvlabxuo.Objects/Initializer.cs.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 5.0.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 5.0.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 5.2.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs.Net Code: RemoveInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 5.2.file2.exe.a20000.0.unpack, Hblvlabxuo.Objects/Initializer.cs.Net Code: CloneInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: file1.exe.0.drStatic PE information: 0xBDAE5991 [Tue Nov 4 09:46:57 2070 UTC]
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003F311C push esi; retf
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003F2C0E push esi; retf
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003F2A04 push esi; retf
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003F30BC push esi; retf
              Source: C:\Users\user\AppData\Local\Temp\file1.exeCode function: 4_2_003FF8E2 push edi; retf
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_00A300D6 push edi; retf
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_00A230D9 push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\file2.exeCode function: 5_2_00A22BFC push edi; ret
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 24_2_013AC078 push ds; retf
              Source: initial sampleStatic PE information: section name: .text entropy: 7.26492487859
              Source: initial sampleStatic PE information: section name: .text entropy: 7.23635224737
              Source: initial sampleStatic PE information: section name: .text entropy: 7.26492487859
              Source: initial sampleStatic PE information: section name: .text entropy: 7.23635224737
              Source: C:\Users\user\AppData\Local\Temp\file2.exeFile created: C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exeJump to dropped file
              Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\file2.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
              Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\file1.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\file2.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file

              Boot Survival:

              barindex
              Creates an undocumented autostart registry key Show sources
              Source: C:\Users\user\AppData\Local\Temp\file2.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
              Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: file1.exe, 00000004.00000002.417743269.0000000002969000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.420601026.00000000030E4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
              Source: C:\Users\user\AppData\Local\Temp\file1.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\file2.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Users\user\AppData\Local\Temp\file1.exeWindow / User API: threadDelayed 2267
              Source: C:\Users\user\AppData\Local\Temp\file2.exeWindow / User API: threadDelayed 2266
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 9555
              Source: C:\Users\user\AppData\Local\Temp\file1.exe TID: 4440Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\file2.exe TID: 4724Thread sleep count: 2266 > 30
              Source: C:\Users\user\AppData\Local\Temp\file2.exe TID: 4520Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5044Thread sleep time: -15679732462653109s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1632Thread sleep count: 9555 > 30
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1632Thread sleep count: 280 > 30
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 5228Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\file1.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\file2.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477
              Source: file1.exeBinary or memory string: M8x\7ksyfGUYaeYpqVSGUYKeYxvbXGUY1vMRKStDKMS3mPFdT4yjHN5hGpFeGUYyeYMVjPjKMU0ErquCaGUYxvMCIO74yjETzDCkEhlGPE\7WwknEMowjeYQUrEMowo8wApSIZRgR5h+S4QyjDDdFfxJUIZRgh5heSwQyjCDzA8lAhlGAHmG6ZrjKMP1yN/S+DonfE00er+IJvDK3\7PFTDKMNwJMsV3MWyZnwknZ8Z0Y1g9owrNdPpGa6fT010+hTXT
              Source: file2.exe, 00000005.00000002.420601026.00000000030E4000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
              Source: wscript.exe, 00000000.00000002.257990768.000001560A1D0000.00000002.00000001.sdmp, InstallUtil.exe, 00000017.00000002.511625785.0000000005FF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: file2.exe, 00000005.00000002.420601026.00000000030E4000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: file2.exeBinary or memory string: tJq\7SeAVZ9CdklYhnZD0FlK1JPCK/Ky4CTqAtFjSUaTzks4iRboL+glpmqRqpHJJ4BX5ufUQBF5xBn0kCbziC7TcUxB4xZm01EsQeMUX6\7QRvQeAVZ1E/H0HgFWfTakngFefQg1ZB4BXn0jxfQeAV51FiEwRecT7dIAm8YjHN8BMEXnEBjawlCLziQnpCEnjFRXSCvyDwioupX4\7Ag8IpLaJwk8IpL6DlJ4AeX0p2BgsAPvkRXBwkCP7iMFgYLivO
              Source: wscript.exe, 00000000.00000003.248521779.0000015609010000.00000004.00000001.sdmp, Inv-04_PDF.vbsBinary or memory string: 'EOLypHIAnSmqeolydOzhWCdpdhWICknIGijkgiLBXqOvEuwkHGFsvkJBkWVHkzyCfekvFASuCyKgohkilmAvfuMVZhAKNEQXrLQaKAfHoKpxadMClnVyzCWkRPWXAIgyimodQJYkGtHUEPuwVxYaiRXpogIveIGgeqOnoilbOlrGvCfCUZBCjGQQPzokBdGymbqNAHHmMxLwZRtmAFaEGDwXaxYpuAalftTULRCNSPqmuTqxFCkvCBrieTnCiSsLWaRgxZbiDNmrNKcGGajsQfjeBkpsezezWfPUCKzgaBroOzVTqhvHizurrnfMjiEDjnUivIDwaDRPnuPBPWBwEWRWkXdPfnwrwoFaemXidzgeieEwXdxMgIzMWyxYeoRnHZTypoWczTTEpm
              Source: file1.exeBinary or memory string: AC8Gh8ncjVW8ES+lXz/eH2jq5V8hZXBn1lYqXCUWViabkycStWxK9znzr/04queVQFKc5F\7pTkWv3PxDHMQch6xN7EMSxIlCICPLWI0DaT3RAjXNUkvh0oR8eWKsxxjutJXyBzKdUQGfUWbk8D+ThRm7DRGRGwKcF1xq0oDHaFFP\7pAHnxG3IjO3NyZtqRBTjWG29nyKkh0VmCIEwU3Ie+4yk4ymTiU55WDy5wX64Bduey3W9+aNu5126/R3Q0cRNB
              Source: file2.exeBinary or memory string: U+XKS9ArVtnnzUafYpQHC6UZJAvSZXRjwvoEgCtxqSDZmCcz2uaCpK\7HKU1IDXAuoVzt21i5gynLwtCbkGIxIrdb/pFkxJXQMEoltVIQe/t2vXE739vJRnqposygCzd6Ap6JquBamchjgsvunjzvap/KeRmt\7Q8etkrjHvBmBD86JuvkYHosab5R5AlhnUbNwJwWgcNoTmbkUawCSeWfHA8HgFsh0P8e8W6jONDaoaQrp0H2bWKABs+cmjShhWibpo
              Source: file2.exe, 00000005.00000002.420601026.00000000030E4000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
              Source: file1.exeBinary or memory string: YXBSuKEXdBJx6Ct3mWvH/lebby0CmDdoJU5\74GX7VAlXfLcLwHr64XxNDAG3q2NUlEfuaGY/eXgMECJq/M86pIIYoZs6lre/eEZC3V9Sb5CUDr43nQEwxJhGfSc7Vdgc+8iEdM8u+\7zDl7//GQvhlhc+b4II1/btk6Ut3Ptvhk9eLtIi1F4q/gKFdEVmUmtavQswcs47E71N29Ruv9oXi5RcK2Gfqb0xZYFV4rFjPIdDcyG\7mYckC8ZMroPbGLxyq
              Source: wscript.exe, 00000000.00000002.257990768.000001560A1D0000.00000002.00000001.sdmp, InstallUtil.exe, 00000017.00000002.511625785.0000000005FF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: wscript.exe, 00000000.00000002.257990768.000001560A1D0000.00000002.00000001.sdmp, InstallUtil.exe, 00000017.00000002.511625785.0000000005FF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: wscript.exe, 00000000.00000002.257990768.000001560A1D0000.00000002.00000001.sdmp, InstallUtil.exe, 00000017.00000002.511625785.0000000005FF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: wscript.exe, 00000000.00000002.256836199.0000015609A58000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}xT
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
              Source: C:\Users\user\AppData\Local\Temp\file1.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Benign windows process drops PE filesShow sources
              Source: C:\Windows\System32\wscript.exeFile created: file1.exe.0.drJump to dropped file
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\AppData\Local\Temp\file1.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\AppData\Local\Temp\file2.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\AppData\Local\Temp\file1.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\file1.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
              Source: C:\Users\user\AppData\Local\Temp\file1.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 438000
              Source: C:\Users\user\AppData\Local\Temp\file1.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 43A000
              Source: C:\Users\user\AppData\Local\Temp\file1.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: CE8008
              Source: C:\Users\user\AppData\Local\Temp\file2.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
              Source: C:\Users\user\AppData\Local\Temp\file2.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
              Source: C:\Users\user\AppData\Local\Temp\file2.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000
              Source: C:\Users\user\AppData\Local\Temp\file2.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000
              Source: C:\Users\user\AppData\Local\Temp\file2.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: A34008
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file1.exe 'C:\Users\user\AppData\Local\Temp\file1.exe'
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\file2.exe 'C:\Users\user\AppData\Local\Temp\file2.exe'
              Source: C:\Users\user\AppData\Local\Temp\file1.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: C:\Users\user\AppData\Local\Temp\file2.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
              Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: InstallUtil.exe, 00000017.00000002.504611547.0000000001930000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Users\user\AppData\Local\Temp\file1.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\file2.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\file2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe VolumeInformation
              Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 4.2.file1.exe.3ca7650.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.39c7c38.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3a3fc58.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3cf7670.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3ca7650.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3c4ba30.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3cf7670.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, type: MEMORY
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 4.2.file1.exe.3ca7650.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.39c7c38.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3a3fc58.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3cf7670.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3ca7650.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3c4ba30.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3cf7670.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5808, type: MEMORY
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file2.exe PID: 6012, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5808, type: MEMORY

              Remote Access Functionality:

              barindex
              Detected Nanocore RatShow sources
              Source: file2.exe, 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: InstallUtil.exe, 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
              Source: InstallUtil.exe, 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 4.2.file1.exe.3ca7650.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.39c7c38.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3a3fc58.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3cf7670.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3ca7650.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3c4ba30.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3cf7670.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, type: MEMORY
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 4.2.file1.exe.3ca7650.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.39c7c38.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3a3fc58.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3cf7670.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3ca7650.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3c4ba30.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.file1.exe.3cf7670.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 5808, type: MEMORY
              Yara detected Nanocore RATShow sources
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d24595.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.4114b60.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.413cb80.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1ff6c.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 24.2.InstallUtil.exe.3d1b136.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.file2.exe.418cba0.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file2.exe PID: 6012, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection212Masquerading2Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScripting121DLL Side-Loading1Registry Run Keys / Startup Folder1Disable or Modify Tools1LSASS MemorySecurity Software Discovery311Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsExploitation for Client Execution1Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonScripting121Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Timestomp1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)DLL Side-Loading1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 452070 Sample: Inv-04_PDF.vbs Startdate: 21/07/2021 Architecture: WINDOWS Score: 100 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Sigma detected: NanoCore 2->45 47 8 other signatures 2->47 7 wscript.exe 3 2->7         started        11 dhcpmon.exe 4 2->11         started        process3 file4 29 C:\Users\user\AppData\Local\Temp\file2.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\Temp\file1.exe, PE32 7->31 dropped 53 Benign windows process drops PE files 7->53 55 VBScript performs obfuscated calls to suspicious functions 7->55 13 file2.exe 1 6 7->13         started        17 file1.exe 3 7->17         started        19 conhost.exe 11->19         started        signatures5 process6 file7 37 C:\Users\user\AppData\...xplorer64int.exe, PE32 13->37 dropped 39 C:\Users\user\AppData\...\InstallUtil.exe, PE32 13->39 dropped 57 Multi AV Scanner detection for dropped file 13->57 59 Creates an undocumented autostart registry key 13->59 61 Machine Learning detection for dropped file 13->61 21 InstallUtil.exe 13->21         started        24 InstallUtil.exe 1 6 13->24         started        63 Writes to foreign memory regions 17->63 65 Injects a PE file into a foreign processes 17->65 27 InstallUtil.exe 2 17->27         started        signatures8 process9 file10 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->51 33 C:\Users\user\AppData\Roaming\...\run.dat, International 24->33 dropped 35 C:\Program Files (x86)\...\dhcpmon.exe, PE32 24->35 dropped signatures11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\file1.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\file2.exe100%Joe Sandbox ML
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%MetadefenderBrowse
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\file1.exe29%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\file1.exe52%ReversingLabsByteCode-MSIL.Downloader.Seraph
              C:\Users\user\AppData\Local\Temp\file2.exe37%MetadefenderBrowse
              C:\Users\user\AppData\Local\Temp\file2.exe57%ReversingLabsByteCode-MSIL.Downloader.Seraph
              C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe37%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe57%ReversingLabsByteCode-MSIL.Downloader.Seraph

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              24.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
              23.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.tiro.com.0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
              http://gKSfZA.com0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.founder.com.cn/cnt-p0%Avira URL Cloudsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.sandoll.co.kr0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.sakkal.com0%URL Reputationsafe
              http://www.founder.com.cn/cni0%URL Reputationsafe
              http://www.founder.com.cn/cni0%URL Reputationsafe
              http://www.founder.com.cn/cni0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://www.founder.com.cn/cnd0%URL Reputationsafe
              http://www.founder.com.cn/cnd0%URL Reputationsafe
              http://www.founder.com.cn/cnd0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://www.fonts.comc0%URL Reputationsafe
              http://www.fonts.comc0%URL Reputationsafe
              http://www.fonts.comc0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://www.tiro.comn0%URL Reputationsafe
              http://www.tiro.comn0%URL Reputationsafe
              http://www.tiro.comn0%URL Reputationsafe
              http://www.carterandcone.comtig(0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/I0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/I0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/I0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/A0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/A0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/A0%URL Reputationsafe
              http://www.fontbureau.come.com0%URL Reputationsafe
              http://www.fontbureau.come.com0%URL Reputationsafe
              http://www.fontbureau.come.com0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn/0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.founder.com.cn/cn0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.fontbureau.comm0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://127.0.0.1:HTTP/1.1InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              low
              http://www.fontbureau.com/designersGfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                high
                http://www.fontbureau.com/designersFfile1.exe, 00000004.00000003.255745631.0000000005B06000.00000004.00000001.sdmpfalse
                  high
                  http://www.fontbureau.com/designers/?file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                    high
                    http://www.founder.com.cn/cn/bThefile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.fontbureau.com/designers?file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                      high
                      http://www.tiro.com.file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.fontbureau.com/designersCfile1.exe, 00000004.00000003.257384126.0000000005B06000.00000004.00000001.sdmpfalse
                        high
                        http://www.fontbureau.com/designersBfile1.exe, 00000004.00000003.262045265.0000000005B06000.00000004.00000001.sdmpfalse
                          high
                          http://www.tiro.comfile2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designersfile2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                            high
                            http://www.fontbureau.com/designersZfile1.exe, 00000004.00000003.255783808.0000000005B06000.00000004.00000001.sdmpfalse
                              high
                              http://www.goodfont.co.krfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.carterandcone.comfile1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersPfile1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmpfalse
                                high
                                http://www.sajatypeworks.comfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cn/cThefile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htmfile1.exe, 00000004.00000003.260733212.0000000005AE4000.00000004.00000001.sdmp, file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.comfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designersersfile1.exe, 00000004.00000003.255996734.0000000005B06000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.jiyu-kobo.co.jp//file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://gKSfZA.comInstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.galapagosdesign.com/DPleasefile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designerswfile1.exe, 00000004.00000003.256018539.0000000005B06000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cnt-pfile1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://api.ipify.org%GETMozilla/5.0InstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    low
                                    http://www.ascendercorp.com/typedesigners.htmlfile1.exe, 00000004.00000003.254663518.0000000005B06000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fonts.comfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.sandoll.co.krfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.urwpp.deDPleasefile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.zhongyicts.com.cnfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.sakkal.comfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.founder.com.cn/cnifile1.exe, 00000004.00000003.252218602.0000000005AE1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipfile1.exe, 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, InstallUtil.exe, 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.founder.com.cn/cndfile1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.apache.org/licenses/LICENSE-2.0file1.exe, 00000004.00000003.252695976.0000000005AE7000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.fontbureau.comfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                          high
                                          http://DynDns.comDynDNSInstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fonts.comcfile1.exe, 00000004.00000003.250853437.0000000005AEB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haInstallUtil.exe, 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.tiro.comnfile1.exe, 00000004.00000003.252450344.0000000005AE9000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.carterandcone.comtig(file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          low
                                          http://www.jiyu-kobo.co.jp/Ifile1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.jiyu-kobo.co.jp/Afile1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.come.comfile1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.carterandcone.comlfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.founder.com.cn/cn/file1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                            high
                                            http://www.founder.com.cn/cnfile1.exe, 00000004.00000003.252570957.0000000005ADB000.00000004.00000001.sdmp, file1.exe, 00000004.00000003.251985976.0000000005AE6000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlfile1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.commfile1.exe, 00000004.00000002.425311594.0000000005AD0000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/file1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.com/designers8file1.exe, 00000004.00000002.425458054.0000000005BD0000.00000002.00000001.sdmp, file2.exe, 00000005.00000002.428291779.0000000006560000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.jiyu-kobo.co.jp/fr-cfile1.exe, 00000004.00000003.254192747.0000000005ADA000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.jiyu-kobo.co.jp/afile1.exe, 00000004.00000003.253855227.0000000005AD3000.00000004.00000001.sdmpfalse
                                                  unknown
                                                  http://www.fontbureau.com/designers/file1.exe, 00000004.00000003.255713488.0000000005B06000.00000004.00000001.sdmpfalse
                                                    high

                                                    Contacted IPs

                                                    No contacted IP infos

                                                    General Information

                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                    Analysis ID:452070
                                                    Start date:21.07.2021
                                                    Start time:19:52:20
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 14m 2s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:Inv-04_PDF.vbs
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:31
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winVBS@13/11@0/0
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 0.5% (good quality ratio 0.3%)
                                                    • Quality average: 37.3%
                                                    • Quality standard deviation: 33.6%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .vbs
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/452070/sample/Inv-04_PDF.vbs

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    19:54:42AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    19:54:57API Interceptor166x Sleep call for process: InstallUtil.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASN

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):41064
                                                    Entropy (8bit):6.164873449128079
                                                    Encrypted:false
                                                    SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                    MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                    SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                    SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                    SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                    Malicious:false
                                                    Antivirus:
                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Reputation:unknown
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):950
                                                    Entropy (8bit):5.350971482944737
                                                    Encrypted:false
                                                    SSDEEP:24:MLiKNE4qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MeIH2HKXwYHKhQnoPtHoxHhAHKzva
                                                    MD5:CEE81B7EB08EE82CFE49E47B81B50D1A
                                                    SHA1:4746C7068BD50E3309BFFDBE8983B8F27D834DFD
                                                    SHA-256:B9A90255691E7C9D3CCBD27D00FC514DDD6087446D8DB03335CEF1B5634CC460
                                                    SHA-512:AF5865439412974FCB6B11E22CFFF1ACA0BEBF83CF398D6056CEEF93720AF0FBCB579858C39E6AA0D989680F2180F2CA181D7D12887604B420D0E1976B8AEA77
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file1.exe.log
                                                    Process:C:\Users\user\AppData\Local\Temp\file1.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1299
                                                    Entropy (8bit):5.353835388147306
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
                                                    MD5:D7428B0428DC5FA72A41122D265CFA0E
                                                    SHA1:F485E2EC6F980F218063AF527724C088617B3B94
                                                    SHA-256:C49B31FB28F5EC1B5A82D45DF4A0A88DBC26E468BA007D8E63C800BA69CC5FFC
                                                    SHA-512:FD5BC965FD28DC219F2703726A34A7156D1B71B9199617136F936DD5DDBB2CA65175FBB4B761243635493D6CABE3069406B4D4473DEEB93FDCDA1F392345683B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file2.exe.log
                                                    Process:C:\Users\user\AppData\Local\Temp\file2.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1299
                                                    Entropy (8bit):5.353835388147306
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
                                                    MD5:D7428B0428DC5FA72A41122D265CFA0E
                                                    SHA1:F485E2EC6F980F218063AF527724C088617B3B94
                                                    SHA-256:C49B31FB28F5EC1B5A82D45DF4A0A88DBC26E468BA007D8E63C800BA69CC5FFC
                                                    SHA-512:FD5BC965FD28DC219F2703726A34A7156D1B71B9199617136F936DD5DDBB2CA65175FBB4B761243635493D6CABE3069406B4D4473DEEB93FDCDA1F392345683B
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                    C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                    Process:C:\Users\user\AppData\Local\Temp\file2.exe
                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):41064
                                                    Entropy (8bit):6.164873449128079
                                                    Encrypted:false
                                                    SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                    MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                    SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                    SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                    SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                    Reputation:unknown
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                    C:\Users\user\AppData\Local\Temp\file1.exe
                                                    Process:C:\Windows\System32\wscript.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):861184
                                                    Entropy (8bit):7.283904937853201
                                                    Encrypted:false
                                                    SSDEEP:24576:N+MOQW87bhQxtVUbJLy5yLlSKElPlHsQ2Ze:N+rQQxtVUREplD
                                                    MD5:672E9FDC80F39F27F98A048B9F51AEA0
                                                    SHA1:506479C1633363F4AC0276E59D6B66F648CF4A33
                                                    SHA-256:A9497517888F5E6E725FA5AFD4FAED80EEC9F218438DBCCF2C9E6E1B37AA8ED1
                                                    SHA-512:EB8BB241076CFBDA03DB01D20341CC73FD7A807CE33442528232941C89C2DA0007E0CEE339D82C27446C9310B00036D1816BE8E5F3A78EE85E37CDD4D9194E3C
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Metadefender, Detection: 29%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 52%
                                                    Reputation:unknown
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y................0......@........... ... ....@.. ....................................@.....................................K.... ...<...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....<... ...>..................@..@.reloc.......`......."..............@..B........................H........1...-..........D_..J...........................................b.r...p}.....(.....(....*....0..B.........8&.....(....(.... ....(......(....(......X....?.....{.....o....*..^.{....o....9.....(....*^(...........s....o....*2(.....o....*....0..7........rI..p(....(..........&.r_..p~....o.......(...........*..................0..,........{....o....s....&.....o....(.....(.........*..................9.....{....9.....{....o......(....*....0...........s....}.....s....}.....s....
                                                    C:\Users\user\AppData\Local\Temp\file2.exe
                                                    Process:C:\Windows\System32\wscript.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):897536
                                                    Entropy (8bit):7.255695547404168
                                                    Encrypted:false
                                                    SSDEEP:24576:m+MOQW87bhQxtVUDjTcBvz2OrL9drTKqwJ:m+rQQxtVUXTiV9drTKH
                                                    MD5:B564A2BAE72F01F3E3FB726184FED4C9
                                                    SHA1:C64494A88D69FE8974E5742841D1D12FC07C0D6E
                                                    SHA-256:03707D7AD90DB602966AE1E86703672C77D0EC94BD125CD026846F188F893BE1
                                                    SHA-512:7779A5E4F7B7136C72034667C8A0E7C13CEC1C2A02CCDDE65BB936609333B86B1E7D5C3A7AE6CBB46462244DD134A3DAF2BD9AF6A6D43E8CED33F4F1A52D5DA3
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Metadefender, Detection: 37%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 57%
                                                    Reputation:unknown
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....H...............0..p...@........... ........@.. ....................................@.....................................K........<........................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc....<.......>...r..............@..@.reloc..............................@..B........................H.......|7.../..........8g...'............................................r...p}....8.....(....8....*.(....8.....0..s.......8'...*8Z...8D......X..8J....{.....o....8.......8.... ....(....8......(....(....8......(....(....8........?....8......8.....(....8....*.{....o....9....8.....r(...........s....o....8....*...2(.....o....*....0..Y.......8......*..rE..p(....(......8.........&8.....(......8.....r[..p~....o......8........8................%./.....0..F.........{....o....8....s..
                                                    C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                    Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                    File Type:International EBCDIC text, with CR line terminators
                                                    Category:dropped
                                                    Size (bytes):8
                                                    Entropy (8bit):3.0
                                                    Encrypted:false
                                                    SSDEEP:3:Cstn:CM
                                                    MD5:C627D2AE1FEA9AB62F2803C72BF9F7BD
                                                    SHA1:E5C1399020CC7A6276FC7F8530FBE4FC92F457CB
                                                    SHA-256:DE3317A2EE872B9384C3CE9807FC57532D2B9B15098C8F0457B8D3BDF4A97A46
                                                    SHA-512:1A47849B4D3EF2F9ED81DFB1802174B9AAEA72ECE9D06E6049BA8F6ED9BC54EFE5E77CB46A84BA7F51139A1FC555BB1FEAB56A417F3E7731FFCF0153E09436FD
                                                    Malicious:true
                                                    Reputation:unknown
                                                    Preview: ....L.H
                                                    C:\Users\user\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe
                                                    Process:C:\Users\user\AppData\Local\Temp\file2.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):897536
                                                    Entropy (8bit):7.255695547404168
                                                    Encrypted:false
                                                    SSDEEP:24576:m+MOQW87bhQxtVUDjTcBvz2OrL9drTKqwJ:m+rQQxtVUXTiV9drTKH
                                                    MD5:B564A2BAE72F01F3E3FB726184FED4C9
                                                    SHA1:C64494A88D69FE8974E5742841D1D12FC07C0D6E
                                                    SHA-256:03707D7AD90DB602966AE1E86703672C77D0EC94BD125CD026846F188F893BE1
                                                    SHA-512:7779A5E4F7B7136C72034667C8A0E7C13CEC1C2A02CCDDE65BB936609333B86B1E7D5C3A7AE6CBB46462244DD134A3DAF2BD9AF6A6D43E8CED33F4F1A52D5DA3
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Metadefender, Detection: 37%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 57%
                                                    Reputation:unknown
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....H...............0..p...@........... ........@.. ....................................@.....................................K........<........................................................................... ............... ..H............text....o... ...p.................. ..`.rsrc....<.......>...r..............@..@.reloc..............................@..B........................H.......|7.../..........8g...'............................................r...p}....8.....(....8....*.(....8.....0..s.......8'...*8Z...8D......X..8J....{.....o....8.......8.... ....(....8......(....(....8......(....(....8........?....8......8.....(....8....*.{....o....9....8.....r(...........s....o....8....*...2(.....o....*....0..Y.......8......*..rE..p(....(......8.........&8.....(......8.....r[..p~....o......8........8................%./.....0..F.........{....o....8....s..
                                                    \Device\ConDrv
                                                    Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):2017
                                                    Entropy (8bit):4.663189584482275
                                                    Encrypted:false
                                                    SSDEEP:48:zK4Qu4D4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKJDEcTytNe3Wo3uQVBIe+5
                                                    MD5:9C305D95E7DA8FCA9651F7F426BB25BC
                                                    SHA1:FDB5C18C26CF5B83EF5DC297C0F9CEBEF6A97FFC
                                                    SHA-256:444F71CF504D22F0EE88024D61501D3B79AE5D1AFD521E72499F325F6B0B82BE
                                                    SHA-512:F2829518AE0F6DD35C1DE1175FC8BE3E52EDCAFAD0B2455AC593F5E5D4BD480B014F52C3AE24E742B914685513BE5DF862373E75C45BB7908C775D7E2E404DB3
                                                    Malicious:false
                                                    Reputation:unknown
                                                    Preview: Microsoft (R) .NET Framework Installation utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                                                    Static File Info

                                                    General

                                                    File type:ASCII text, with very long lines, with CRLF line terminators
                                                    Entropy (8bit):5.891219578404424
                                                    TrID:
                                                    • Visual Basic Script (13500/0) 100.00%
                                                    File name:Inv-04_PDF.vbs
                                                    File size:2437367
                                                    MD5:b6a05c3a37dde3db4a8005dfaeda9e97
                                                    SHA1:c0b64b85e13865a76136ce2d5674ebca53246566
                                                    SHA256:1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1
                                                    SHA512:730b73dc411f25c3c79d1fe6272c797a076ab85da48162379ad32ad36c40806b2a13cf0671ab3e646c45a34fbeaf5f95091e2c7bfcfb10a889b6a17ef2de0e16
                                                    SSDEEP:24576:Rqf8Lpx7oAbNFypaURT3UuL42eUyp2CLHiLG8b5/tXC5I3ASYovcOpiWmSi3D0IA:0kfpg5/byl8b5lGIQY0Opg0IDhO
                                                    File Content Preview:on error resume next..Dim HLNFgkxYOKrKFdAlKIeEZwBFfGOyXZsoEfGAqmFqVRmFHSnSYpmcRNCLKIaaVyBoRCFaXAuYCojHJwxMTvahnQXqcvqiLfUWPynEMNvYuOZcevBNKNHaYUBAfOxbKLMXTMsLItAFACmYquMhucYyXuxvwmZxPTNiCCJRCpFRNBZWicJkBPhinNzYOxOVTCqgoDWokveEWHlW..'VbMUcpvAmfvoCkCFajxKLs

                                                    File Icon

                                                    Icon Hash:e8d69ece869a9ec4

                                                    Network Behavior

                                                    No network behavior found

                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Start time:19:53:14
                                                    Start date:21/07/2021
                                                    Path:C:\Windows\System32\wscript.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Inv-04_PDF.vbs'
                                                    Imagebase:0x7ff78a940000
                                                    File size:163840 bytes
                                                    MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.239940723.0000015609951000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.237652403.0000015608C41000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.238803642.0000015608A41000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.239481925.0000015609951000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.248521779.0000015609010000.00000004.00000001.sdmp, Author: Florian Roth
                                                    Reputation:high

                                                    General

                                                    Start time:19:53:19
                                                    Start date:21/07/2021
                                                    Path:C:\Users\user\AppData\Local\Temp\file1.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\AppData\Local\Temp\file1.exe'
                                                    Imagebase:0x3f0000
                                                    File size:861184 bytes
                                                    MD5 hash:672E9FDC80F39F27F98A048B9F51AEA0
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.420934075.00000000039C7000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.419907404.0000000002CA8000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.422102072.0000000003CF7000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.421532799.0000000003B57000.00000004.00000001.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 29%, Metadefender, Browse
                                                    • Detection: 52%, ReversingLabs
                                                    Reputation:low

                                                    General

                                                    Start time:19:53:20
                                                    Start date:21/07/2021
                                                    Path:C:\Users\user\AppData\Local\Temp\file2.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\AppData\Local\Temp\file2.exe'
                                                    Imagebase:0xa20000
                                                    File size:897536 bytes
                                                    MD5 hash:B564A2BAE72F01F3E3FB726184FED4C9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.422012563.00000000033EF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.422940034.000000000418C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.422674258.00000000040ED000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.422118023.0000000003FD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 37%, Metadefender, Browse
                                                    • Detection: 57%, ReversingLabs
                                                    Reputation:low

                                                    General

                                                    Start time:19:54:37
                                                    Start date:21/07/2021
                                                    Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                    Imagebase:0x360000
                                                    File size:41064 bytes
                                                    MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Antivirus matches:
                                                    • Detection: 0%, Metadefender, Browse
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:moderate

                                                    General

                                                    Start time:19:54:37
                                                    Start date:21/07/2021
                                                    Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                    Imagebase:0xb30000
                                                    File size:41064 bytes
                                                    MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.504718117.0000000002E51000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.500646718.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    General

                                                    Start time:19:54:38
                                                    Start date:21/07/2021
                                                    Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                    Imagebase:0x990000
                                                    File size:41064 bytes
                                                    MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.423177039.0000000003CD9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.422855353.0000000002CD1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                    • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: NanoCore, Description: unknown, Source: 00000018.00000002.421337317.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                    Reputation:moderate

                                                    General

                                                    Start time:19:54:50
                                                    Start date:21/07/2021
                                                    Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                    Imagebase:0x6b0000
                                                    File size:41064 bytes
                                                    MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Antivirus matches:
                                                    • Detection: 0%, Metadefender, Browse
                                                    • Detection: 0%, ReversingLabs
                                                    Reputation:moderate

                                                    General

                                                    Start time:19:54:51
                                                    Start date:21/07/2021
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7ecfc0000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >