Windows Analysis Report
rMT103_126021720924.exe

Overview

General Information

Sample name:	rMT103_126021720924.exe
Analysis ID:	1546259
MD5:	06ef3895bf1c5878463c502a7f1554eb
SHA1:	9bb43516ca18892a0aacd7e1b0aec0666fe2c735
SHA256:	c68ac751c2b84e31bd64a9d318fd5cde9c1fa7f9f9090940808fef7989b3ade9
Tags:	exeuser-Porcupine
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to log keystrokes (.Net Source)

Contains functionality to register a low level keyboard hook

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Signatures

AV Detection

Found malware configuration

Source: 6.2.sgxIb.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: rMT103_126021720924.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: rMT103_126021720924.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: rMT103_126021720924.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: rMT103_126021720924.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49752 -> 110.4.45.197:60611
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49746 -> 110.4.45.197:59700
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49751 -> 110.4.45.197:21
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49741 -> 110.4.45.197:21

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 110.4.45.197 ports 62872,53280,49938,57283,60611,50990,50153,54434,59700,53124,58830,52695,50113,49704,64321,61776,62800,1,55079,2,56246,49882,49662,52009,21,53913

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 110.4.45.197:52695

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 110.4.45.197 110.4.45.197

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:63430
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49742
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:63429

Uses FTP

Source: unknown

FTP traffic detected: 110.4.45.197:21 -> 192.168.2.4:49735 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed.220-Local time is now 00:03. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed.220-Local time is now 00:03. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed.220-Local time is now 00:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 22 of 50 allowed.220-Local time is now 00:03. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.haliza.com.my
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp, rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp, rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp, rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002CB9000.00000004.00000800.00020000.00000000.sdmp, rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000006.00000002.1923594429.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000B.00000002.4171800763.000000000285C000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000B.00000002.4171800763.0000000002916000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000B.00000002.4171800763.0000000002948000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.haliza.com.my
Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000006.00000002.1923594429.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000B.00000002.4171800763.00000000027EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp, rMT103_126021720924.exe, 00000000.00000002.1721207014.00000000057D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: rMT103_126021720924.exe, 00000000.00000002.1721351951.0000000006E82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: rMT103_126021720924.exe, 00000000.00000002.1718690777.000000000451A000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000006.00000002.1916038959.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: rMT103_126021720924.exe, 00000000.00000002.1718690777.000000000451A000.00000004.00000800.00020000.00000000.sdmp, rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000006.00000002.1916038959.0000000000402000.00000040.00000400.00020000.00000000.sdmp, sgxIb.exe, 00000006.00000002.1923594429.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000B.00000002.4171800763.00000000027EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000006.00000002.1923594429.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000B.00000002.4171800763.00000000027EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000006.00000002.1923594429.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000000B.00000002.4171800763.00000000027EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, SKTzxzsJw.cs

.Net Code: _71ZRqC1D

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\rMT103_126021720924.exe

Code function: 2_2_0685C628 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0685D458,00000000,00000000

2_2_0685C628

Installs a global keyboard hook

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\rMT103_126021720924.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rMT103_126021720924.exe.48269a0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rMT103_126021720924.exe.48269a0.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_01393E34	0_2_01393E34
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_0139E04C	0_2_0139E04C
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_0139703A	0_2_0139703A
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_01397000	0_2_01397000
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058AC680	0_2_058AC680
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058A5603	0_2_058A5603
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058A4600	0_2_058A4600
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058A5610	0_2_058A5610
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058AE1E9	0_2_058AE1E9
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058AE1F8	0_2_058AE1F8
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058A1069	0_2_058A1069
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058A1078	0_2_058A1078
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058A2338	0_2_058A2338
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058A2348	0_2_058A2348
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058AC238	0_2_058AC238
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058AC248	0_2_058AC248
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058ABE10	0_2_058ABE10
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058AD920	0_2_058AD920
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058A5897	0_2_058A5897
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_058A58A8	0_2_058A58A8
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07841A70	0_2_07841A70
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07D3E7E0	0_2_07D3E7E0
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07D3B47A	0_2_07D3B47A
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07D32106	0_2_07D32106
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07D36CE8	0_2_07D36CE8
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07D36CD8	0_2_07D36CD8
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07D38C00	0_2_07D38C00
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07D32C38	0_2_07D32C38
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_02974198	2_2_02974198
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_0297EA08	2_2_0297EA08
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_02974A68	2_2_02974A68
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_02973E50	2_2_02973E50
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_0297AF37	2_2_0297AF37
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_0297ADA0	2_2_0297ADA0
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_0685C76C	2_2_0685C76C
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_068539B4	2_2_068539B4
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_068562D7	2_2_068562D7
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_068555E3	2_2_068555E3
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_068555E8	2_2_068555E8
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_06867E90	2_2_06867E90
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_068656A8	2_2_068656A8
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_06866700	2_2_06866700
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_06862758	2_2_06862758
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_06865E08	2_2_06865E08
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_068677B0	2_2_068677B0
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_0686E4C8	2_2_0686E4C8
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_06860040	2_2_06860040
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_0686003E	2_2_0686003E
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_018D3E34	3_2_018D3E34
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_018DE04C	3_2_018DE04C
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_018D703B	3_2_018D703B
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_077BE7E0	3_2_077BE7E0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_077B2106	3_2_077B2106
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_077B6CE8	3_2_077B6CE8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_077B2C38	3_2_077B2C38
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_077B8C00	3_2_077B8C00
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_077B6CD8	3_2_077B6CD8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_07C01BC0	3_2_07C01BC0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_00E14198	6_2_00E14198
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_00E1E8D8	6_2_00E1E8D8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_00E14A68	6_2_00E14A68
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_00E13E50	6_2_00E13E50
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_06567E98	6_2_06567E98
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_065656B0	6_2_065656B0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_06566708	6_2_06566708
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_06563580	6_2_06563580
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_06560040	6_2_06560040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_065677B8	6_2_065677B8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_0656E4D0	6_2_0656E4D0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_06565DFF	6_2_06565DFF
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_06560006	6_2_06560006
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_00EF3E34	10_2_00EF3E34
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_00EFE04C	10_2_00EFE04C
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_00EF703B	10_2_00EF703B
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06BC21B0	10_2_06BC21B0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06BCAEF8	10_2_06BCAEF8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06BCB6B8	10_2_06BCB6B8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06BC7289	10_2_06BC7289
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06BC7210	10_2_06BC7210
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06BC23F0	10_2_06BC23F0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E92338	10_2_06E92338
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E91069	10_2_06E91069
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E9C680	10_2_06E9C680
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E95602	10_2_06E95602
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E95610	10_2_06E95610
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E945F0	10_2_06E945F0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E9C248	10_2_06E9C248
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E9C238	10_2_06E9C238
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E9E1E9	10_2_06E9E1E9
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E9E1F8	10_2_06E9E1F8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E9BE10	10_2_06E9BE10
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E958A8	10_2_06E958A8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E95897	10_2_06E95897
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06E9D920	10_2_06E9D920
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_073D1A70	10_2_073D1A70
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_073D2D78	10_2_073D2D78
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_0745E7E0	10_2_0745E7E0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_07452106	10_2_07452106
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_07456CE8	10_2_07456CE8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_07458C00	10_2_07458C00
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_07456CD8	10_2_07456CD8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_00DCA4B0	11_2_00DCA4B0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_00DCE8A0	11_2_00DCE8A0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_00DC4A68	11_2_00DC4A68
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_00DCAC80	11_2_00DCAC80
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_00DC3E50	11_2_00DC3E50
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_00DC4198	11_2_00DC4198
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_063EC3FC	11_2_063EC3FC
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_063E52A8	11_2_063E52A8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_063E52A2	11_2_063E52A2
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_063E1800	11_2_063E1800
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_06407E98	11_2_06407E98
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_064056B0	11_2_064056B0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_06406708	11_2_06406708
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_06403580	11_2_06403580
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_06400040	11_2_06400040
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_06405E10	11_2_06405E10
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_064077B8	11_2_064077B8
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_0640E4D0	11_2_0640E4D0
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_0640001E	11_2_0640001E

Sample file is different than original file name gathered from version info

Source: rMT103_126021720924.exe, 00000000.00000002.1718234612.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs rMT103_126021720924.exe
Source: rMT103_126021720924.exe, 00000000.00000002.1717340738.000000000103E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rMT103_126021720924.exe
Source: rMT103_126021720924.exe, 00000000.00000000.1693462718.0000000000958000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameKUIL.exe6 vs rMT103_126021720924.exe
Source: rMT103_126021720924.exe, 00000000.00000002.1722415938.0000000007F40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rMT103_126021720924.exe
Source: rMT103_126021720924.exe, 00000000.00000002.1718690777.000000000451A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs rMT103_126021720924.exe
Source: rMT103_126021720924.exe, 00000000.00000002.1718690777.000000000451A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs rMT103_126021720924.exe
Source: rMT103_126021720924.exe, 00000002.00000002.4167842133.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs rMT103_126021720924.exe
Source: rMT103_126021720924.exe	Binary or memory string: OriginalFilenameKUIL.exe6 vs rMT103_126021720924.exe

Uses 32bit PE files

Source: rMT103_126021720924.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.rMT103_126021720924.exe.48269a0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rMT103_126021720924.exe.48269a0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: rMT103_126021720924.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sgxIb.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, zPwlw449bqb1U0EqqG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, uHcF5TZCInwSNV5WnO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, uHcF5TZCInwSNV5WnO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, uHcF5TZCInwSNV5WnO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, uHcF5TZCInwSNV5WnO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, uHcF5TZCInwSNV5WnO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, uHcF5TZCInwSNV5WnO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, uHcF5TZCInwSNV5WnO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, uHcF5TZCInwSNV5WnO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, uHcF5TZCInwSNV5WnO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, zPwlw449bqb1U0EqqG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, zPwlw449bqb1U0EqqG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/4@4/2

Source: C:\Users\user\Desktop\rMT103_126021720924.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rMT103_126021720924.exe.log

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: rMT103_126021720924.exe, 00000000.00000000.1693462718.0000000000892000.00000002.00000001.01000000.00000003.sdmp, sgxIb.exe.2.dr	Binary or memory string: INSERT INTO Service (CustomerId, Active, Date) VALUES (@customerId, '1', @date);
Source: rMT103_126021720924.exe, 00000000.00000000.1693462718.0000000000892000.00000002.00000001.01000000.00000003.sdmp, sgxIb.exe.2.dr	Binary or memory string: SELECT COUNT(*) FROM Service WHERE (Active LIKE '1') AND (CustomerId = @id);

Source: unknown	Process created: C:\Users\user\Desktop\rMT103_126021720924.exe "C:\Users\user\Desktop\rMT103_126021720924.exe"
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Process created: C:\Users\user\Desktop\rMT103_126021720924.exe "C:\Users\user\Desktop\rMT103_126021720924.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Process created: C:\Users\user\Desktop\rMT103_126021720924.exe "C:\Users\user\Desktop\rMT103_126021720924.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Process created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Section loaded: windowscodecs.dll

Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, uHcF5TZCInwSNV5WnO.cs	.Net Code: KZX9KZhvvY System.Reflection.Assembly.Load(byte[])
Source: 0.2.rMT103_126021720924.exe.5750000.5.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, uHcF5TZCInwSNV5WnO.cs	.Net Code: KZX9KZhvvY System.Reflection.Assembly.Load(byte[])
Source: 0.2.rMT103_126021720924.exe.3d05ad0.2.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, uHcF5TZCInwSNV5WnO.cs	.Net Code: KZX9KZhvvY System.Reflection.Assembly.Load(byte[])
Source: 0.2.rMT103_126021720924.exe.3ce5ab0.4.raw.unpack, XlF5VlCIHRSQX8M5eh.cs	.Net Code: _200C_200C_202D_206C_200B_206A_206D_200B_200D_200C_202D_206A_206D_202A_206A_206B_202B_206C_202D_200B_202E_202B_202A_206C_206A_206D_202D_206B_206D_206B_200D_202B_202D_206C_206F_206C_200B_202B_206A_206D_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07843105 push FFFFFF8Bh; iretd	0_2_07843107
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_0784289F push esp; retf	0_2_078428AD
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 0_2_07D37B99 push 0000005Dh; ret	0_2_07D37BFB
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Code function: 2_2_02970C55 push edi; retf	2_2_02970C7A
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_07C02DB8 push esp; retf	3_2_07C02DC5
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 3_2_07C0321D push FFFFFF8Bh; iretd	3_2_07C0321F
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 6_2_00E1F7C8 pushad ; retf	6_2_00E1F7D1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06BC3DBD push esp; ret	10_2_06BC3DC9
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_06BC0882 push es; ret	10_2_06BC0890
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 10_2_073D289F push esp; retf	10_2_073D28AD
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_00DCF7C8 pushad ; retf	11_2_00DCF7D1
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_00DC6A1A pushfd ; iretd	11_2_00DC6A1B
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Code function: 11_2_06400006 push es; iretd	11_2_0640001C

Source: rMT103_126021720924.exe	Static PE information: section name: .text entropy: 7.713016398013977
Source: sgxIb.exe.2.dr	Static PE information: section name: .text entropy: 7.713016398013977

Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, uHcF5TZCInwSNV5WnO.cs	High entropy of concatenated method names: 'Vp4XA8eIFd', 'xmtXFqRKnO', 'LrpXeto7k2', 'biSXMpkNqE', 'TqLXd0dj67', 'FkQXBfXrMf', 'fyUXVdSPfU', 'mjeXIoe27I', 'hNoXi29SRa', 'KhmXg08e5U'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, zWlhLspjUWVR3dcyGm.cs	High entropy of concatenated method names: 'ToString', 'q9XNsA1eMf', 'ORSN5twP6T', 'YmbNn5kPaV', 'mqvNG9vCEI', 'nkHNRHqxyo', 'gyFNPhsCOn', 'wwoNLmVIkU', 'mEfN6yJsQ9', 'mMoN25xdb3'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, dcLWPNR1a5bCJQddKH.cs	High entropy of concatenated method names: 'GdDdOq0ktM', 'adwdJgfNLg', 'K6CMnn20gI', 'gecMGEGq72', 'SxQMRnnXGi', 'uqHMPmgRiX', 'IO6MLVZmXk', 'a5GM6Vl6o8', 'jK0M2sGI7c', 'mAsM4EWVC2'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, sAaok2zrKwxG5KvCC6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FCFwfmNruO', 'uHjwremliF', 'fojwNysTwG', 'zsUwYteQvR', 'cXnwqui7hr', 'er7wwcMuiQ', 'uVNwSTDwpo'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, RdwoPGElFu8kUbgL1F.cs	High entropy of concatenated method names: 'NuwK39YK2', 'xA3TtygF0', 'Ugt3kkNhr', 'fd3Jq95tt', 'aRHmb2uWf', 'mLbDNBdpQ', 'sZUIKOOp6OX6vIMJ1a', 'IQr4UsR7Texp7HaRbV', 'NGpqm2eHo', 'BPKSfuB3g'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, nfPy2DTCIScD4cuJcs.cs	High entropy of concatenated method names: 'mLoYZeYKas', 'ho3YyDP651', 'H2UqcwBHl2', 'qRPqjlUuor', 'KS8Ys2HrUb', 'oWvYaIqGXA', 'chqYQ2IoiE', 'ukvYCgti9s', 'HtlYbCRWie', 'mWgYHo8ktv'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, c1mnmHNNglKhlxjc1V.cs	High entropy of concatenated method names: 'dJ9foMEU7p', 'FZIfm80rvP', 'sZyfUkfUsN', 'Lfvf5isKvR', 'HB3fGc5vyu', 'R23fRhE3M8', 'QIEfLA3ePd', 'SNjf6itCld', 'AF2f4AGR2v', 'QHVfsbauhh'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, TFjHmxCxlj8IovbT7o.cs	High entropy of concatenated method names: 'FmxBAYkMGv', 'OQVBeKTmip', 'PLTBd6FsjO', 'Hn6BVXk3Dp', 'TpyBIXN07L', 'WdIdh6HlqC', 'aAvd012n4h', 'Ur1dEvfiXS', 'fJUdZ06nED', 'd9idxgtrwq'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, zPwlw449bqb1U0EqqG.cs	High entropy of concatenated method names: 'rDkeClyYjl', 'hFaebT560i', 'iMReHkmn6y', 'RgjekLwdQk', 'XCdeh9qlNt', 'qBOe0Mr9lC', 'IkxeET3t0b', 'aYVeZLlO6s', 'H9nexRJ9f9', 'Dukey0eBAP'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, fFIJpeMwQuT4pj0f48.cs	High entropy of concatenated method names: 'hwYqFPF09Y', 'vD7qe1t86H', 'a3ZqMSGa9O', 'AL5qd6KkvD', 'L1LqB0AXVX', 'PJFqVDeyxn', 'Gu8qIE9445', 'gAsqiuqjPk', 'tGXqgLeCtR', 'We9qvEjK4c'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, xwCEAHPbS6YXLQv9Qwr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KWDSC2dtWW', 'BO0SbkYURB', 'l1gSHNkc7K', 'NPlSkslHA5', 'nKdShehJBI', 'xDvS0xcI9N', 'aFPSEDAki1'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, ev453qAf81jeo5XimK.cs	High entropy of concatenated method names: 'Hm6jVEAMtN', 'uYFjIKbvNG', 'DmHjgc7dE3', 'ch9jvIr8U7', 'JfsjrVE2wF', 'bV3jN04IOJ', 'NsSNGVktOrvSYRM4ms', 'iSMo4tagy9TJt5w276', 'qjYjjRvp2T', 'UjBjXyMV6v'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, sYT6qsPWtu0kVrRvODK.cs	High entropy of concatenated method names: 'uRxwtjMKlt', 'a11w1fydeK', 'iP2wK2Onhf', 'zuewT06NVS', 'jCIwO63aRr', 'UXiw3vlLJ7', 's52wJ4Bmh5', 'nD7wopUMvZ', 'lLDwmqCQ8C', 'NCbwDofkwv'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, GF6BPOvncXvdCe5Gu4.cs	High entropy of concatenated method names: 'jlWwj5e4F4', 'nWQwXJp5v9', 'NVyw96EA5s', 'XkbwFJ3WhZ', 'pvtweTMXel', 'wjTwdN15mG', 'vYywBDfxQS', 'ryjqE022Pd', 'lL5qZY7gpK', 'XGZqxRbbn9'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, tELBCGKQIZoR4Ruu4Z.cs	High entropy of concatenated method names: 'pulqUfBCVr', 'ypQq5GjexV', 'rQsqnQIf2T', 'VEeqGoRjif', 'eKNqC34rwR', 'SphqR6EjuK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, HyCv4jnDM2me7gdh35.cs	High entropy of concatenated method names: 'REWVFjnfdN', 'vlTVMv1VxX', 'ADHVB2QCkU', 'VYpByMUurN', 'ujNBzJ4D9l', 'AZWVcpW57J', 'IO0VjyWt5G', 'EcqVuYn5aU', 'SBVVXODQq0', 'jTFV99vp6M'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, M0eCCbtoMBY8TeihOn.cs	High entropy of concatenated method names: 'Kn2Vtg4Jtb', 'suKV1FhiXM', 'HtRVKe0fAR', 'YotVTxeKqk', 'B6lVOkPArV', 'qOwV3nbDPA', 'jt2VJI5PcM', 'nytVodRGlg', 'QrHVm7ABsa', 'or8VDnmWVy'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, cMmPg8V8IUa5LErlLT.cs	High entropy of concatenated method names: 'Dispose', 'hUGjxLPrNd', 'vfRu5RSely', 'e1S77aCFR3', 'k4rjyjfQnL', 'YoEjzXxpEk', 'ProcessDialogKey', 't2IucFA5ob', 'fpJujG6YCd', 'rO0uugsFQe'
Source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, z1mXZK9cnNVH49xD2U.cs	High entropy of concatenated method names: 'HaDMTw72Rd', 'FyDM3SWlLV', 'lqwMoQ2y3L', 'HQ1MmwJvDM', 'SLjMrL7m7b', 'BmiMNJbh7M', 'ncRMYyXJK6', 'fKqMqkRfeg', 'SF5MwLjKcS', 'QrYMSxybFD'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, uHcF5TZCInwSNV5WnO.cs	High entropy of concatenated method names: 'Vp4XA8eIFd', 'xmtXFqRKnO', 'LrpXeto7k2', 'biSXMpkNqE', 'TqLXd0dj67', 'FkQXBfXrMf', 'fyUXVdSPfU', 'mjeXIoe27I', 'hNoXi29SRa', 'KhmXg08e5U'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, zWlhLspjUWVR3dcyGm.cs	High entropy of concatenated method names: 'ToString', 'q9XNsA1eMf', 'ORSN5twP6T', 'YmbNn5kPaV', 'mqvNG9vCEI', 'nkHNRHqxyo', 'gyFNPhsCOn', 'wwoNLmVIkU', 'mEfN6yJsQ9', 'mMoN25xdb3'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, dcLWPNR1a5bCJQddKH.cs	High entropy of concatenated method names: 'GdDdOq0ktM', 'adwdJgfNLg', 'K6CMnn20gI', 'gecMGEGq72', 'SxQMRnnXGi', 'uqHMPmgRiX', 'IO6MLVZmXk', 'a5GM6Vl6o8', 'jK0M2sGI7c', 'mAsM4EWVC2'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, sAaok2zrKwxG5KvCC6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FCFwfmNruO', 'uHjwremliF', 'fojwNysTwG', 'zsUwYteQvR', 'cXnwqui7hr', 'er7wwcMuiQ', 'uVNwSTDwpo'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, RdwoPGElFu8kUbgL1F.cs	High entropy of concatenated method names: 'NuwK39YK2', 'xA3TtygF0', 'Ugt3kkNhr', 'fd3Jq95tt', 'aRHmb2uWf', 'mLbDNBdpQ', 'sZUIKOOp6OX6vIMJ1a', 'IQr4UsR7Texp7HaRbV', 'NGpqm2eHo', 'BPKSfuB3g'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, nfPy2DTCIScD4cuJcs.cs	High entropy of concatenated method names: 'mLoYZeYKas', 'ho3YyDP651', 'H2UqcwBHl2', 'qRPqjlUuor', 'KS8Ys2HrUb', 'oWvYaIqGXA', 'chqYQ2IoiE', 'ukvYCgti9s', 'HtlYbCRWie', 'mWgYHo8ktv'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, c1mnmHNNglKhlxjc1V.cs	High entropy of concatenated method names: 'dJ9foMEU7p', 'FZIfm80rvP', 'sZyfUkfUsN', 'Lfvf5isKvR', 'HB3fGc5vyu', 'R23fRhE3M8', 'QIEfLA3ePd', 'SNjf6itCld', 'AF2f4AGR2v', 'QHVfsbauhh'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, TFjHmxCxlj8IovbT7o.cs	High entropy of concatenated method names: 'FmxBAYkMGv', 'OQVBeKTmip', 'PLTBd6FsjO', 'Hn6BVXk3Dp', 'TpyBIXN07L', 'WdIdh6HlqC', 'aAvd012n4h', 'Ur1dEvfiXS', 'fJUdZ06nED', 'd9idxgtrwq'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, zPwlw449bqb1U0EqqG.cs	High entropy of concatenated method names: 'rDkeClyYjl', 'hFaebT560i', 'iMReHkmn6y', 'RgjekLwdQk', 'XCdeh9qlNt', 'qBOe0Mr9lC', 'IkxeET3t0b', 'aYVeZLlO6s', 'H9nexRJ9f9', 'Dukey0eBAP'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, fFIJpeMwQuT4pj0f48.cs	High entropy of concatenated method names: 'hwYqFPF09Y', 'vD7qe1t86H', 'a3ZqMSGa9O', 'AL5qd6KkvD', 'L1LqB0AXVX', 'PJFqVDeyxn', 'Gu8qIE9445', 'gAsqiuqjPk', 'tGXqgLeCtR', 'We9qvEjK4c'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, xwCEAHPbS6YXLQv9Qwr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KWDSC2dtWW', 'BO0SbkYURB', 'l1gSHNkc7K', 'NPlSkslHA5', 'nKdShehJBI', 'xDvS0xcI9N', 'aFPSEDAki1'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, ev453qAf81jeo5XimK.cs	High entropy of concatenated method names: 'Hm6jVEAMtN', 'uYFjIKbvNG', 'DmHjgc7dE3', 'ch9jvIr8U7', 'JfsjrVE2wF', 'bV3jN04IOJ', 'NsSNGVktOrvSYRM4ms', 'iSMo4tagy9TJt5w276', 'qjYjjRvp2T', 'UjBjXyMV6v'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, sYT6qsPWtu0kVrRvODK.cs	High entropy of concatenated method names: 'uRxwtjMKlt', 'a11w1fydeK', 'iP2wK2Onhf', 'zuewT06NVS', 'jCIwO63aRr', 'UXiw3vlLJ7', 's52wJ4Bmh5', 'nD7wopUMvZ', 'lLDwmqCQ8C', 'NCbwDofkwv'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, GF6BPOvncXvdCe5Gu4.cs	High entropy of concatenated method names: 'jlWwj5e4F4', 'nWQwXJp5v9', 'NVyw96EA5s', 'XkbwFJ3WhZ', 'pvtweTMXel', 'wjTwdN15mG', 'vYywBDfxQS', 'ryjqE022Pd', 'lL5qZY7gpK', 'XGZqxRbbn9'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, tELBCGKQIZoR4Ruu4Z.cs	High entropy of concatenated method names: 'pulqUfBCVr', 'ypQq5GjexV', 'rQsqnQIf2T', 'VEeqGoRjif', 'eKNqC34rwR', 'SphqR6EjuK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, HyCv4jnDM2me7gdh35.cs	High entropy of concatenated method names: 'REWVFjnfdN', 'vlTVMv1VxX', 'ADHVB2QCkU', 'VYpByMUurN', 'ujNBzJ4D9l', 'AZWVcpW57J', 'IO0VjyWt5G', 'EcqVuYn5aU', 'SBVVXODQq0', 'jTFV99vp6M'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, M0eCCbtoMBY8TeihOn.cs	High entropy of concatenated method names: 'Kn2Vtg4Jtb', 'suKV1FhiXM', 'HtRVKe0fAR', 'YotVTxeKqk', 'B6lVOkPArV', 'qOwV3nbDPA', 'jt2VJI5PcM', 'nytVodRGlg', 'QrHVm7ABsa', 'or8VDnmWVy'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, cMmPg8V8IUa5LErlLT.cs	High entropy of concatenated method names: 'Dispose', 'hUGjxLPrNd', 'vfRu5RSely', 'e1S77aCFR3', 'k4rjyjfQnL', 'YoEjzXxpEk', 'ProcessDialogKey', 't2IucFA5ob', 'fpJujG6YCd', 'rO0uugsFQe'
Source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, z1mXZK9cnNVH49xD2U.cs	High entropy of concatenated method names: 'HaDMTw72Rd', 'FyDM3SWlLV', 'lqwMoQ2y3L', 'HQ1MmwJvDM', 'SLjMrL7m7b', 'BmiMNJbh7M', 'ncRMYyXJK6', 'fKqMqkRfeg', 'SF5MwLjKcS', 'QrYMSxybFD'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, uHcF5TZCInwSNV5WnO.cs	High entropy of concatenated method names: 'Vp4XA8eIFd', 'xmtXFqRKnO', 'LrpXeto7k2', 'biSXMpkNqE', 'TqLXd0dj67', 'FkQXBfXrMf', 'fyUXVdSPfU', 'mjeXIoe27I', 'hNoXi29SRa', 'KhmXg08e5U'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, zWlhLspjUWVR3dcyGm.cs	High entropy of concatenated method names: 'ToString', 'q9XNsA1eMf', 'ORSN5twP6T', 'YmbNn5kPaV', 'mqvNG9vCEI', 'nkHNRHqxyo', 'gyFNPhsCOn', 'wwoNLmVIkU', 'mEfN6yJsQ9', 'mMoN25xdb3'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, dcLWPNR1a5bCJQddKH.cs	High entropy of concatenated method names: 'GdDdOq0ktM', 'adwdJgfNLg', 'K6CMnn20gI', 'gecMGEGq72', 'SxQMRnnXGi', 'uqHMPmgRiX', 'IO6MLVZmXk', 'a5GM6Vl6o8', 'jK0M2sGI7c', 'mAsM4EWVC2'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, sAaok2zrKwxG5KvCC6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FCFwfmNruO', 'uHjwremliF', 'fojwNysTwG', 'zsUwYteQvR', 'cXnwqui7hr', 'er7wwcMuiQ', 'uVNwSTDwpo'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, RdwoPGElFu8kUbgL1F.cs	High entropy of concatenated method names: 'NuwK39YK2', 'xA3TtygF0', 'Ugt3kkNhr', 'fd3Jq95tt', 'aRHmb2uWf', 'mLbDNBdpQ', 'sZUIKOOp6OX6vIMJ1a', 'IQr4UsR7Texp7HaRbV', 'NGpqm2eHo', 'BPKSfuB3g'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, nfPy2DTCIScD4cuJcs.cs	High entropy of concatenated method names: 'mLoYZeYKas', 'ho3YyDP651', 'H2UqcwBHl2', 'qRPqjlUuor', 'KS8Ys2HrUb', 'oWvYaIqGXA', 'chqYQ2IoiE', 'ukvYCgti9s', 'HtlYbCRWie', 'mWgYHo8ktv'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, c1mnmHNNglKhlxjc1V.cs	High entropy of concatenated method names: 'dJ9foMEU7p', 'FZIfm80rvP', 'sZyfUkfUsN', 'Lfvf5isKvR', 'HB3fGc5vyu', 'R23fRhE3M8', 'QIEfLA3ePd', 'SNjf6itCld', 'AF2f4AGR2v', 'QHVfsbauhh'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, TFjHmxCxlj8IovbT7o.cs	High entropy of concatenated method names: 'FmxBAYkMGv', 'OQVBeKTmip', 'PLTBd6FsjO', 'Hn6BVXk3Dp', 'TpyBIXN07L', 'WdIdh6HlqC', 'aAvd012n4h', 'Ur1dEvfiXS', 'fJUdZ06nED', 'd9idxgtrwq'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, zPwlw449bqb1U0EqqG.cs	High entropy of concatenated method names: 'rDkeClyYjl', 'hFaebT560i', 'iMReHkmn6y', 'RgjekLwdQk', 'XCdeh9qlNt', 'qBOe0Mr9lC', 'IkxeET3t0b', 'aYVeZLlO6s', 'H9nexRJ9f9', 'Dukey0eBAP'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, fFIJpeMwQuT4pj0f48.cs	High entropy of concatenated method names: 'hwYqFPF09Y', 'vD7qe1t86H', 'a3ZqMSGa9O', 'AL5qd6KkvD', 'L1LqB0AXVX', 'PJFqVDeyxn', 'Gu8qIE9445', 'gAsqiuqjPk', 'tGXqgLeCtR', 'We9qvEjK4c'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, xwCEAHPbS6YXLQv9Qwr.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KWDSC2dtWW', 'BO0SbkYURB', 'l1gSHNkc7K', 'NPlSkslHA5', 'nKdShehJBI', 'xDvS0xcI9N', 'aFPSEDAki1'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, ev453qAf81jeo5XimK.cs	High entropy of concatenated method names: 'Hm6jVEAMtN', 'uYFjIKbvNG', 'DmHjgc7dE3', 'ch9jvIr8U7', 'JfsjrVE2wF', 'bV3jN04IOJ', 'NsSNGVktOrvSYRM4ms', 'iSMo4tagy9TJt5w276', 'qjYjjRvp2T', 'UjBjXyMV6v'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, sYT6qsPWtu0kVrRvODK.cs	High entropy of concatenated method names: 'uRxwtjMKlt', 'a11w1fydeK', 'iP2wK2Onhf', 'zuewT06NVS', 'jCIwO63aRr', 'UXiw3vlLJ7', 's52wJ4Bmh5', 'nD7wopUMvZ', 'lLDwmqCQ8C', 'NCbwDofkwv'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, GF6BPOvncXvdCe5Gu4.cs	High entropy of concatenated method names: 'jlWwj5e4F4', 'nWQwXJp5v9', 'NVyw96EA5s', 'XkbwFJ3WhZ', 'pvtweTMXel', 'wjTwdN15mG', 'vYywBDfxQS', 'ryjqE022Pd', 'lL5qZY7gpK', 'XGZqxRbbn9'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, tELBCGKQIZoR4Ruu4Z.cs	High entropy of concatenated method names: 'pulqUfBCVr', 'ypQq5GjexV', 'rQsqnQIf2T', 'VEeqGoRjif', 'eKNqC34rwR', 'SphqR6EjuK', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, HyCv4jnDM2me7gdh35.cs	High entropy of concatenated method names: 'REWVFjnfdN', 'vlTVMv1VxX', 'ADHVB2QCkU', 'VYpByMUurN', 'ujNBzJ4D9l', 'AZWVcpW57J', 'IO0VjyWt5G', 'EcqVuYn5aU', 'SBVVXODQq0', 'jTFV99vp6M'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, M0eCCbtoMBY8TeihOn.cs	High entropy of concatenated method names: 'Kn2Vtg4Jtb', 'suKV1FhiXM', 'HtRVKe0fAR', 'YotVTxeKqk', 'B6lVOkPArV', 'qOwV3nbDPA', 'jt2VJI5PcM', 'nytVodRGlg', 'QrHVm7ABsa', 'or8VDnmWVy'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, cMmPg8V8IUa5LErlLT.cs	High entropy of concatenated method names: 'Dispose', 'hUGjxLPrNd', 'vfRu5RSely', 'e1S77aCFR3', 'k4rjyjfQnL', 'YoEjzXxpEk', 'ProcessDialogKey', 't2IucFA5ob', 'fpJujG6YCd', 'rO0uugsFQe'
Source: 0.2.rMT103_126021720924.exe.7f40000.6.raw.unpack, z1mXZK9cnNVH49xD2U.cs	High entropy of concatenated method names: 'HaDMTw72Rd', 'FyDM3SWlLV', 'lqwMoQ2y3L', 'HQ1MmwJvDM', 'SLjMrL7m7b', 'BmiMNJbh7M', 'ncRMYyXJK6', 'fKqMqkRfeg', 'SF5MwLjKcS', 'QrYMSxybFD'

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIb			Jump to behavior

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: Yara match	File source: Process Memory Space: rMT103_126021720924.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7248, type: MEMORYSTR

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: 12A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: 2CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: 12F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: 95A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: A5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: A7D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: B7D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: BC10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: CC10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: DC10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: 2970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory allocated: 4B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 18D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 9670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: A670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: A880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: B880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: BC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: CC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: DC90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 29A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 49A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 8DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 9DC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 9FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: AFD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: B610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: C610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: D610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 27E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory allocated: 47E0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 599885	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 599514	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 599382	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 599208	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 599092	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 598969	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 597969	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 597750	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 597624	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 597515	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 597406	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 597296	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 597187	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 597078	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 596878	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 596764	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 596655	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 596422	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 596203	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 596094	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 595982	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 595873	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 595750	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 595640	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 595531	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 595422	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 595312	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 595203	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 595094	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 594984	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 594875	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 594765	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 594656	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 594546	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 594436	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 594309	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 594193	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 594071	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599886	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599780	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598794	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598465	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598347	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597671	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597452	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596794	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595692	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594790	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594677	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594547	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594219	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599766
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599407
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599282
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599157
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598932
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598694
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598579
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598454
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598329
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 598094
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597984
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597875
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597766
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597547
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597437
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597328
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597219
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 597000
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596891
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596766
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596643
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596516
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596371
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596250
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596140
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 596032
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595922
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595813
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595688
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595563
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595313
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595204
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 595079
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594954
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594829
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594704
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594579
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594454
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594329
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594204
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Thread delayed: delay time: 594079

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Window / User API: threadDelayed 2637	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Window / User API: threadDelayed 7209	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window / User API: threadDelayed 2154	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window / User API: threadDelayed 7695	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window / User API: threadDelayed 2803
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Window / User API: threadDelayed 7021

Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -599885s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -599514s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -599382s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -599208s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -599092s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -598969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -597969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -597750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -597624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -597515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -597406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -597296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -597187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -597078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -596878s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -596764s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -596655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -596422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -596203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -596094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -595982s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -595873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -595750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -595640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -595531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -595422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -595312s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -595203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -595094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -594984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -594875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -594765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -594656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -594546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -594436s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -594309s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -594193s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -594071s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\rMT103_126021720924.exe TID: 1004	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -32281802128991695s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7472	Thread sleep count: 2154 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -599886s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7472	Thread sleep count: 7695 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -599780s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -598794s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -598465s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -598347s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -597671s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -597452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -597234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -597015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -596906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -596794s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -596687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -596578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -596359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -596250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -596140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -595692s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -595015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -594790s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -594677s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -594547s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -594437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7464	Thread sleep time: -594219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -599766s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -599657s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -599532s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -599407s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -599282s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -599157s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -598932s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -598813s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -598694s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -598579s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -598454s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -598329s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -598094s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597984s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597875s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597766s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597547s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597437s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597328s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597219s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -597000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -596891s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -596766s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -596643s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -596516s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -596371s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -596250s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -596140s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -596032s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -595922s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -595813s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -595688s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -595563s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -595438s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -595313s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -595204s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -595079s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -594954s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -594829s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -594704s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -594579s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -594454s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -594329s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -594204s >= -30000s
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7816	Thread sleep time: -594079s >= -30000s

Source: sgxIb.exe, 00000006.00000002.1922419879.0000000000F1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: rMT103_126021720924.exe, 00000002.00000002.4168815105.0000000001107000.00000004.00000020.00020000.00000000.sdmp, sgxIb.exe, 0000000B.00000002.4167820395.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Memory written: C:\Users\user\Desktop\rMT103_126021720924.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Memory written: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q9<b>[ Program Manager]</b> (01/11/2024 00:37:23)<br>{Win}rTHcq
Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q3<b>[ Program Manager]</b> (01/11/2024 00:37:23)<br>
Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR^q,
Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q8<b>[ Program Manager]</b> (01/11/2024 00:37:23)<br>{Win}THcq
Source: rMT103_126021720924.exe, 00000002.00000002.4171996023.0000000002C5C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: <html>Time: 11/29/2024 18:53:11<br>User Name: user<br>Computer Name: 494126<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 173.254.250.77<br><hr><b>[ Program Manager]</b> (01/11/2024 00:37:23)<br>{Win}r</html>

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.rMT103_126021720924.exe.48269a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rMT103_126021720924.exe.48269a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rMT103_126021720924.exe.472a160.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rMT103_126021720924.exe.47a8580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4171800763.000000000285C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1923594429.0000000002A1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4171996023.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4171996023.0000000002B9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1916038959.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4171800763.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1923594429.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1718690777.000000000451A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rMT103_126021720924.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rMT103_126021720924.exe PID: 6860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sgxIb.exe PID: 7704, type: MEMORYSTR

Source: C:\Users\user\Desktop\rMT103_126021720924.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Windows Analysis Report rMT103_126021720924.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
rMT103_126021720924.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
110.4.45.197	ftp.haliza.com.my	Malaysia		46015	EXABYTES-AS-APExaBytesNetworkSdnBhdMY	true

ID:	1546259
Product:	CloudBasic
Start time:	17:02:05
Start date:	31.10.2024
Sample:	rMT103_126021720924.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	06ef3895bf1c5878463c502a7f1554eb
SHA1:	9bb43516ca18892a0aacd7e1b0aec0666fe2c735
SHA256:	c68ac751c2b84e31bd64a9d318fd5cde9c1fa7f9f9090940808fef7989b3ade9
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rMT103_126021720924.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	06EF3895BF1C5878463C502A7F1554EB	9BB43516CA18892A0AACD7E1B0AEC0666FE2C735	C68AC751C2B84E31BD64A9D318FD5CDE9C1FA7F9F9090940808FEF7989B3ADE9
C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309