Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.zip

Overview

General Information

Sample name:file.zip
Analysis ID:1448037
MD5:6da382bb9e3a7d435b57f2d5aa7cba34
SHA1:7439b08ef1d4cae39192951c80f2f7ec646ec045
SHA256:f4078e1ec71b088a554c65ffa245570014d56ea95d93a761532a83acc638cfce
Infos:

Detection

AsyncRAT, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected AsyncRAT
Yara detected DarkTortilla Crypter
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 7112 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • file.exe (PID: 6088 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe" MD5: D7A86BC25D2E82CAB4286199B0C9D35A)
    • cmd.exe (PID: 6888 cmdline: "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 7092 cmdline: ping 127.0.0.1 -n 35 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • reg.exe (PID: 4300 cmdline: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
    • cmd.exe (PID: 5996 cmdline: "cmd" /c ping 127.0.0.1 -n 42 > nul && copy "C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe" "C:\Users\user\AppData\Local\star*.exe" && ping 127.0.0.1 -n 42 > nul && "C:\Users\user\AppData\Local\star*.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 5508 cmdline: ping 127.0.0.1 -n 42 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • PING.EXE (PID: 1284 cmdline: ping 127.0.0.1 -n 42 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x6bf8:$a1: havecamera
      • 0xa0fe:$a2: timeout 3 > NUL
      • 0xa11e:$a3: START "" "
      • 0x9fa9:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0xa05e:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      0000000B.00000002.1815081680.000000000398A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
        0000000B.00000002.1816722217.0000000004E30000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          Click to see the 8 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\star*.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 4300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\star*
          Sigma detected: Direct Autorun Keys Modification
          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe", CommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6888, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe", ProcessId: 4300, ProcessName: reg.exe
          Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe", CommandLine: "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe, ParentProcessId: 6088, ParentProcessName: file.exe, ProcessCommandLine: "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe", ProcessId: 6888, ProcessName: cmd.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\star.exeAvira: detection malicious, Label: HEUR/AGEN.1306792
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\star.exeReversingLabs: Detection: 79%
          Source: C:\Users\user\AppData\Local\star.exeVirustotal: Detection: 69%Perma Link
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\star.exeJoe Sandbox ML: detected

          Networking

          barindex
          Uses ping.exe to check the status of other devices and networks
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 35

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1813061155.00000000027C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1815081680.0000000003775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0000000B.00000002.1813061155.00000000027C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0000000B.00000002.1815081680.0000000003775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe"
          Source: 0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0000000B.00000002.1813061155.00000000027C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0000000B.00000002.1815081680.0000000003775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: classification engineClassification label: mal100.troj.evad.winZIP@16/4@0/9
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\star.exe
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
          Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe "C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe"
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 35
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 35
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 42 > nul && copy "C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe" "C:\Users\user\AppData\Local\star*.exe" && ping 127.0.0.1 -n 42 > nul && "C:\Users\user\AppData\Local\star*.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 42 > nul && copy "C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe" "C:\Users\user\AppData\Local\star*.exe" && ping 127.0.0.1 -n 42 > nul && "C:\Users\user\AppData\Local\star*.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: mscoree.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: amsi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: userenv.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: dwrite.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeSection loaded: windowscodecs.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

          Data Obfuscation

          barindex
          Yara detected DarkTortilla Crypter
          Source: Yara matchFile source: 0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1815081680.000000000398A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1816722217.0000000004E30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1813061155.00000000027C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1815081680.0000000003775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1813061155.0000000002731000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1813061155.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\star.exeJump to dropped file

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1813061155.00000000027C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1815081680.0000000003775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Creates autostart registry keys with suspicious names
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run star*
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run star*
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run star*

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeFile opened: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe\:Zone.Identifier read attributes | delete
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1813061155.00000000027C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1815081680.0000000003775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Uses ping.exe to sleep
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 35
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 35
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeMemory allocated: D00000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeMemory allocated: 2730000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeMemory allocated: 2630000 memory reserve | memory write watch
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeWindow / User API: threadDelayed 9870
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe TID: 6940Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe TID: 6940Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\PING.EXE TID: 7100Thread sleep count: 31 > 30
          Source: C:\Windows\SysWOW64\PING.EXE TID: 7100Thread sleep time: -31000s >= -30000s
          Source: C:\Windows\SysWOW64\PING.EXE TID: 5492Thread sleep count: 36 > 30
          Source: C:\Windows\SysWOW64\PING.EXE TID: 5492Thread sleep time: -36000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeThread delayed: delay time: 30000
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeMemory allocated: page read and write | page guard
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 35 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 35
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 42 > nul && copy "C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe" "C:\Users\user\AppData\Local\star*.exe" && ping 127.0.0.1 -n 42 > nul && "C:\Users\user\AppData\Local\star*.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "star*" /t REG_SZ /d "C:\Users\user\AppData\Local\star*.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 42
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userbril.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userbrii.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userbrili.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userbrib.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userFI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userFB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userST.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userSTI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userSTB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\userSTBI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Temp1_file.zip\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0000000B.00000002.1815081680.00000000037F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1813061155.00000000027C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.1815081680.0000000003775000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Scheduled Task/Job          		1
          Scheduled Task/Job          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job11
          Registry Run Keys / Startup Folder          		1
          Scheduled Task/Job          		1
          Modify Registry          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          DLL Side-Loading          		11
          Registry Run Keys / Startup Folder          		1
          Disable or Modify Tools          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Process Injection          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Hidden Files and Directories          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Obfuscated Files or Information          		DCSync12
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Rundll32          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\star.exe100%AviraHEUR/AGEN.1306792
          C:\Users\user\AppData\Local\star.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\star.exe79%ReversingLabsWin32.Backdoor.AsyncRAT
          C:\Users\user\AppData\Local\star.exe69%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious

          Private

          IP
          127.0.0.1

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1448037
          Start date and time:2024-05-27 15:13:32 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsinteractivecookbook.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:22
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • EGA enabled
          Analysis Mode:stream
          Analysis stop reason:Timeout
          Sample name:file.zip
          Detection:MAL
          Classification:mal100.troj.evad.winZIP@16/4@0/9
          Cookbook Comments:
          • Found application associated with file extension: .zip

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
          • Not all processes where analyzed, report is missing behavior information

          Created / dropped Files

          C:\Users\user\AppData\Local\star.exe

          Download File
          Process:C:\Windows\SysWOW64\cmd.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):626176
          Entropy (8bit):6.396843231622265
          Encrypted:false
          SSDEEP:
          MD5:D7A86BC25D2E82CAB4286199B0C9D35A
          SHA1:F946ABABA8E076FF832B828BF7B9BB639B439676
          SHA-256:7B80B345981E4A0703F10AA433849E5A81E6B9098D1AEA010F7F9FCD8811B62E
          SHA-512:A0BBFF53CB640367B65D4682CEB00DFAEB71E9FDE2E59003E64147A5EA8820DBF56AC9F87B5465FE82C994E944BF24B387D380A6FAB8CD87816B03CB3D989104
          Malicious:true
          Antivirus:
          • Antivirus: Avira, Detection: 100%
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 79%
          • Antivirus: Virustotal, Detection: 69%, Browse
          Reputation:unknown
          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...P.............>.... ........@.. ....................................`....................................W.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H...................W...\ ............................................................(!...*&..("....*.s#........s$........s%........s&........s'........*Z........o:...........*&..(;....*j..{....(...+}.....{....+.*...{......,.+.....,.rq..ps@...z..|....(...+*&........*".......*Vs7...(E...t.........*..(F...*..(;...*&.{....+.*6..(<...}....*&.{"...+.*&.{#...+.*6..(<...}#...*&.{$...+.*6..(<...}$...*....P(<...}.....s;...(<...o<....*:..{....oQ....*...{%....r...p......%.....(K....*v.

          \Device\Null

          Download File
          Process:C:\Windows\SysWOW64\PING.EXE
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):926
          Entropy (8bit):4.647354968007433
          Encrypted:false
          SSDEEP:
          MD5:0371708FF604509C16FFEFB5A47737A4
          SHA1:337ABB996182181E443CD696DA48CF8FAA844B90
          SHA-256:F9B41AF3B19A68EEC4310D429A9D8E23539DCBB7CFDAAE8E6ABC558D2A97953B
          SHA-512:B84EB6C73B721167712F2BF5874D91FCC14862288754795D29348E2D466ABA1CBC1DF4060EF450C56BAD05DEAA856CE4106C40F9ADC10A5145A7A03E239F2AEF
          Malicious:false
          Reputation:unknown
          Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..

          Static File Info

          General

          File type:Zip archive data, at least v2.0 to extract, compression method=deflate
          Entropy (8bit):7.99859454661898
          TrID:
          • ZIP compressed archive (8000/1) 100.00%
          File name:file.zip
          File size:358'766 bytes
          MD5:6da382bb9e3a7d435b57f2d5aa7cba34
          SHA1:7439b08ef1d4cae39192951c80f2f7ec646ec045
          SHA256:f4078e1ec71b088a554c65ffa245570014d56ea95d93a761532a83acc638cfce
          SHA512:ce2d2e8693e99a44d528ee1feb6f0afba8282f6aaa8f244ae00b62f8afa4d98f407a1a2e563e5640fa1c9092cfbcf38ae9c2bd816a84345dfffc3a352cc0f849
          SSDEEP:6144:4cnl1+aJpiswmam9gu8lv02jo9eZSFZexjLR/sZRqKRJoOmoeNmHcitJ1:4cnd/wYO02c9eZlJ+IKvhegn1
          TLSH:2674234181D558FA741EB43DB36AC0AEF4D90412B4FD81F29B0B0ED6EEAB432D027975
          File Content Preview:PK...........X..? .x..........file.exeUT...8.Qf..Tfux..............<..T...o.^....G...a..>=>...?0.DDEMPQA@>.Q..|.z0.m...QVH4.fKM.r..UI..[..YW....Z.....X.5h...D.RQ..=.~..{..e.x..{...{.9..{..6.M.....=z..'..9.L.3..{....<.zi...._....k.C.-.*k...+.]..9:.}......k

          File Icon

          Icon Hash:1c1c1e4e4ececedc