Edit tour

Windows Analysis Report
rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Overview

General Information

Sample name:rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Analysis ID:1600779
MD5:38738d1bcce9a92053d0b2ff204da017
SHA1:5d3e8a4d369e1528ca1d25146199444f5a77cd5f
SHA256:34444d4292fb1f61fad6019625d22b9b88868e8af67aa0a84f1319ce8d571f01
Tags:exeuser-Porcupine
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe (PID: 7580 cmdline: "C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe" MD5: 38738D1BCCE9A92053D0B2FF204DA017)
    • RegSvcs.exe (PID: 7736 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{
  "Exfil Mode": "SMTP",
  "Port": "587",
  "Host": "cp8nl.hyperhost.ua",
  "Username": "absach@genesio.top",
  "Password": "@qwerty90123        "
}
SourceRuleDescriptionAuthorStrings
00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.2931059217.00000000028D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries
            SourceRuleDescriptionAuthorStrings
            0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3204f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x320c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3214b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x321dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x32247:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x322b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3234f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x323df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    System Summary

                    barindex
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.174.175.187, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7736, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
                    No Suricata rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "absach@genesio.top", "Password": "@qwerty90123 "}
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeVirustotal: Detection: 48%Perma Link
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeJoe Sandbox ML: detected
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 185.174.175.187:587
                    Source: global trafficTCP traffic: 192.168.2.4:53667 -> 162.159.36.2:53
                    Source: Joe Sandbox ViewIP Address: 185.174.175.187 185.174.175.187
                    Source: Joe Sandbox ViewASN Name: ITLDC-NLUA ITLDC-NLUA
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 185.174.175.187:587
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: cp8nl.hyperhost.ua
                    Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
                    Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cp8nl.hyperhost.ua
                    Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp, rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeString found in binary or memory: http://ocsp.comodoca.com0
                    Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeString found in binary or memory: http://tempuri.org/Polly_PipeDataSet.xsd
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731518943.0000000005A14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.coml
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, SKTzxzsJw.cs.Net Code: P0mmrM

                    System Summary

                    barindex
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0168E02C0_2_0168E02C
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0785A6580_2_0785A658
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0785EBE00_2_0785EBE0
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0785B9280_2_0785B928
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0785A64B0_2_0785A64B
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0785DF680_2_0785DF68
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0785EEB80_2_0785EEB8
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0785EEC80_2_0785EEC8
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0785EBD30_2_0785EBD3
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_0785B9180_2_0785B918
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010393882_2_01039388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01039B482_2_01039B48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01034A982_2_01034A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01033E802_2_01033E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0103CEA02_2_0103CEA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_010341C82_2_010341C8
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: invalid certificate
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.000000000416A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000000.1683260755.0000000000BC2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevzHb.exe6 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1727376542.0000000003121000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefc5dce39-38f8-4333-8bf2-0b26de43131c.exe4 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefc5dce39-38f8-4333-8bf2-0b26de43131c.exe4 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1725424295.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1733758098.000000000B6A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.0000000004982000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1732536572.0000000007730000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeBinary or memory string: OriginalFilenamevzHb.exe6 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, YIqdnTZwEPBrH1FTHb.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, YIqdnTZwEPBrH1FTHb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, YIqdnTZwEPBrH1FTHb.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, YIqdnTZwEPBrH1FTHb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, YIqdnTZwEPBrH1FTHb.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, YIqdnTZwEPBrH1FTHb.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMutant created: \Sessions\1\BaseNamedObjects\wjOctAPDxNPP
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeVirustotal: Detection: 48%
                    Source: unknownProcess created: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe "C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe"
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.cs.Net Code: wfC1xj5Ld2 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.416a528.2.raw.unpack, MainForm.cs.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.cs.Net Code: wfC1xj5Ld2 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.7730000.5.raw.unpack, MainForm.cs.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.cs.Net Code: wfC1xj5Ld2 System.Reflection.Assembly.Load(byte[])
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: 0x961E3554 [Sat Oct 23 00:35:32 2049 UTC]
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_07852713 push F005868Fh; ret 0_2_0785271D
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeCode function: 0_2_07859988 push eax; iretd 0_2_07859989
                    Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeStatic PE information: section name: .text entropy: 7.264339353751273
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, ejZGFIWEC7oEI54yuV.csHigh entropy of concatenated method names: 'LOGqd4Yvul', 'R7GqmaQ669', 'H5bqZbpR3r', 'R7hqWUigB2', 'OIqqfPcgmo', 'qm4qG17kce', 'F3Uq70miE5', 'LywqTcPlE5', 'KT9qMuJrlS', 'ykiq2yucjU'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, tMHjpQ9tMB2G9WMxca.csHigh entropy of concatenated method names: 'hBeMoEt3Z8', 'wK1Mn4A9MK', 'bElMYe6aWu', 'y4GMLQlaav', 'vriMP9jvYb', 'rmXMtSrNh0', 'JGFMaeTx0Z', 'zfaMc5Fcw7', 'IKIM4bfwr3', 'Ju7MSX1Iud'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, uG3L8eeeeNpD6r3MYnA.csHigh entropy of concatenated method names: 'Ir62bqvkPh', 'VXu2zJvVBl', 'Orljg6dgxN', 'hZYjexWbME', 'MmbjyN6iOp', 'UDWj05AdmT', 'rdIj1o8lt0', 'mNfjEAp0ya', 'JmrjvD98gx', 'p2KjhK4GGO'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, muvhe9oreOtObp2D1K.csHigh entropy of concatenated method names: 'a3irEAia4J', 'v2srhahlq3', 'H1grBGQNFI', 'QGmrQRuBPu', 'rFhrHxWBVH', 'vcBB8SRuGh', 'QMcB6Wvf3O', 'XVfBlAfrAn', 'DoBBJOXRId', 'jyNB9MQq1F'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, nnWCtK49FAAnUT3Duh.csHigh entropy of concatenated method names: 'SfWQuE84mc', 'Lf7QkP2oEa', 'valQxGjfeQ', 'nksQd1cBEf', 'D40QKPcMIo', 'YHpQmdFe15', 'TygQV99RFR', 'wfeQZ3TXGN', 'nWvQWB5Isj', 'RICQXeLHtM'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, cKx96hzHJ3vxIFm6hw.csHigh entropy of concatenated method names: 'ACm2mB2peL', 'vWN2ZnXCPP', 'W0I2Wlwgas', 'drN2oH06Lg', 'Kcx2nyYUqQ', 'xRS2LjJf7a', 'QPt2P4MCA5', 'AjQ2sdRS2Z', 'l4o2uWwygH', 'UNQ2kw7RnK'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, GTpSuV6ePOHDmoiebI.csHigh entropy of concatenated method names: 'lND7J47LIi', 'hkQ7bRfOCt', 'N4eTg4rEgt', 'gfWTeq2bOn', 'Kwm7N8k2Ni', 'C0B7Rj5XHU', 'TiH7Crg9jq', 'QLj7pX5mv1', 'z087FFqeVZ', 'Pq87DsFcK3'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, Kpds23bRZ3g8UawtCn.csHigh entropy of concatenated method names: 'bLQ2qGkGF2', 'A5P2BboOwe', 'gSX2rCGL0g', 'ptp2QkkTgS', 'lUd2MRPsbK', 'UxF2HTtEG5', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, OybYUnXBlbhQxTn54P.csHigh entropy of concatenated method names: 'r5iBKtGRo0', 'QppBVQEl1y', 'q4dqYqYwR7', 'z6vqLUuxxm', 'N69qPV1SmW', 'dIKqtmLbST', 'GyQqaL9Aro', 'g1sqcEpFoQ', 'Y2Kq4jFkeY', 'y97qSLk4L2'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, T42vxya1RVn0pijrE2.csHigh entropy of concatenated method names: 'rn5QvAuqCO', 'DRpQqSfImm', 'OAuQrCh9id', 'pTFrbvdQIr', 'wKErz0V7Pf', 'AHDQg2Xcq9', 'FDjQegtu2n', 'WAVQyCDJQr', 'JU8Q0fEtwK', 'aHqQ1csBcR'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, x9nb8ZloLFW8ZxgXRj.csHigh entropy of concatenated method names: 'UabMfigQ5e', 'dtrM71qp1y', 'Ij9MMMcISN', 'CKPMjg7bI7', 'euZMwiTkCd', 'BuAMs6t85l', 'Dispose', 'yX6Tvt3SJH', 'xRGThieZjo', 'BG7TqleQ73'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, GJwJcahRxl2glY1GF2.csHigh entropy of concatenated method names: 'Dispose', 'RW8e9ZxgXR', 'G5wynhH9HL', 'fRHembvwLi', 'tlYebTPllt', 'eRQez1hSn4', 'ProcessDialogKey', 'tLjygMHjpQ', 'JMBye2G9WM', 'zcayyapds2'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, YIqdnTZwEPBrH1FTHb.csHigh entropy of concatenated method names: 'PrshpVcwco', 'LPchFwowsK', 'TgghDx0pWy', 'sMnhII2dLD', 'ma7h82kj7U', 'FCIh6Zm7Yp', 'OEihl7kIsi', 'iEehJGwXS7', 'ogEh9Lj8Oq', 'ojThbM70ln'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, Ik3l8gyn3JBR4Aphj1.csHigh entropy of concatenated method names: 'Hinx1fO8D', 'f7VdV741K', 'NFKmMcXdo', 'esgVWTaUX', 'jmmWiXonO', 'bZEXHouCy', 'HgiMke3R5y5KU0k9uN', 'QNS4Y3DoymPEhAsuNm', 'nuhTjqBZW', 'BA62eYpkP'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.csHigh entropy of concatenated method names: 'g9O0E7aiAc', 'RCv0vdQk3R', 'cfG0htCNYr', 'WTq0qZLsTM', 'P7o0B3dLm2', 'eM40rewRfy', 'svJ0QbTTTT', 'wBW0HrF7yB', 'pE00UFNTVy', 'iEv0AiMvOj'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, kR2qoEegexqRSRTMPkp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ztY2NKQwPo', 'ldB2RltFyq', 'CZE2C9h3f8', 'TZt2p7QwNd', 'uk32FPdxCP', 'xOn2DOnAvD', 'Cq52In4GWF'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, qrtTTL1JYUqWTG5Lqr.csHigh entropy of concatenated method names: 'wubeQIqdnT', 'vEPeHBrH1F', 'TECeA7oEI5', 'MyueiVNybY', 'rn5ef4Piuv', 'ge9eGreOtO', 'CW9RKsYRoPepWWTLmH', 'CX3BGOku1Z5K0JKS2X', 'O9LeecZ05w', 'B4Qe0l7e62'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, LMveT8COW3NBEw3BD5.csHigh entropy of concatenated method names: 'dPIOZrjL7R', 'ngHOWJhAtc', 'HtuOoIoglF', 'mGcOn7jbFS', 'Mi3OLZUxsn', 'AcdOPC7v87', 'FK2OaPcT96', 'zjcOcwUwxY', 'RRBOSJntB3', 'YMTON9CVBa'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, SSEXIHe1GqRIqTRj6Uw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iNY3MHVNoj', 'y2m321XkkW', 'zKm3jL4KCD', 'XoJ33HGbSE', 'vTe3wlgUPU', 'K2g35GrKIh', 'rj53sOp6K9'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, DfCA8NImunWKhJZGlY.csHigh entropy of concatenated method names: 'iCQ7AChSPA', 'zx57icJYcP', 'ToString', 'lKj7vfnhjM', 'c5y7hHjTuZ', 'gNI7q0OsAe', 'ogi7B3sUKx', 'My27rAWxQ5', 'OSI7QKiEZs', 'kXU7H8roeM'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, ejZGFIWEC7oEI54yuV.csHigh entropy of concatenated method names: 'LOGqd4Yvul', 'R7GqmaQ669', 'H5bqZbpR3r', 'R7hqWUigB2', 'OIqqfPcgmo', 'qm4qG17kce', 'F3Uq70miE5', 'LywqTcPlE5', 'KT9qMuJrlS', 'ykiq2yucjU'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, tMHjpQ9tMB2G9WMxca.csHigh entropy of concatenated method names: 'hBeMoEt3Z8', 'wK1Mn4A9MK', 'bElMYe6aWu', 'y4GMLQlaav', 'vriMP9jvYb', 'rmXMtSrNh0', 'JGFMaeTx0Z', 'zfaMc5Fcw7', 'IKIM4bfwr3', 'Ju7MSX1Iud'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, uG3L8eeeeNpD6r3MYnA.csHigh entropy of concatenated method names: 'Ir62bqvkPh', 'VXu2zJvVBl', 'Orljg6dgxN', 'hZYjexWbME', 'MmbjyN6iOp', 'UDWj05AdmT', 'rdIj1o8lt0', 'mNfjEAp0ya', 'JmrjvD98gx', 'p2KjhK4GGO'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, muvhe9oreOtObp2D1K.csHigh entropy of concatenated method names: 'a3irEAia4J', 'v2srhahlq3', 'H1grBGQNFI', 'QGmrQRuBPu', 'rFhrHxWBVH', 'vcBB8SRuGh', 'QMcB6Wvf3O', 'XVfBlAfrAn', 'DoBBJOXRId', 'jyNB9MQq1F'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, nnWCtK49FAAnUT3Duh.csHigh entropy of concatenated method names: 'SfWQuE84mc', 'Lf7QkP2oEa', 'valQxGjfeQ', 'nksQd1cBEf', 'D40QKPcMIo', 'YHpQmdFe15', 'TygQV99RFR', 'wfeQZ3TXGN', 'nWvQWB5Isj', 'RICQXeLHtM'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, cKx96hzHJ3vxIFm6hw.csHigh entropy of concatenated method names: 'ACm2mB2peL', 'vWN2ZnXCPP', 'W0I2Wlwgas', 'drN2oH06Lg', 'Kcx2nyYUqQ', 'xRS2LjJf7a', 'QPt2P4MCA5', 'AjQ2sdRS2Z', 'l4o2uWwygH', 'UNQ2kw7RnK'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, GTpSuV6ePOHDmoiebI.csHigh entropy of concatenated method names: 'lND7J47LIi', 'hkQ7bRfOCt', 'N4eTg4rEgt', 'gfWTeq2bOn', 'Kwm7N8k2Ni', 'C0B7Rj5XHU', 'TiH7Crg9jq', 'QLj7pX5mv1', 'z087FFqeVZ', 'Pq87DsFcK3'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, Kpds23bRZ3g8UawtCn.csHigh entropy of concatenated method names: 'bLQ2qGkGF2', 'A5P2BboOwe', 'gSX2rCGL0g', 'ptp2QkkTgS', 'lUd2MRPsbK', 'UxF2HTtEG5', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, OybYUnXBlbhQxTn54P.csHigh entropy of concatenated method names: 'r5iBKtGRo0', 'QppBVQEl1y', 'q4dqYqYwR7', 'z6vqLUuxxm', 'N69qPV1SmW', 'dIKqtmLbST', 'GyQqaL9Aro', 'g1sqcEpFoQ', 'Y2Kq4jFkeY', 'y97qSLk4L2'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, T42vxya1RVn0pijrE2.csHigh entropy of concatenated method names: 'rn5QvAuqCO', 'DRpQqSfImm', 'OAuQrCh9id', 'pTFrbvdQIr', 'wKErz0V7Pf', 'AHDQg2Xcq9', 'FDjQegtu2n', 'WAVQyCDJQr', 'JU8Q0fEtwK', 'aHqQ1csBcR'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, x9nb8ZloLFW8ZxgXRj.csHigh entropy of concatenated method names: 'UabMfigQ5e', 'dtrM71qp1y', 'Ij9MMMcISN', 'CKPMjg7bI7', 'euZMwiTkCd', 'BuAMs6t85l', 'Dispose', 'yX6Tvt3SJH', 'xRGThieZjo', 'BG7TqleQ73'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, GJwJcahRxl2glY1GF2.csHigh entropy of concatenated method names: 'Dispose', 'RW8e9ZxgXR', 'G5wynhH9HL', 'fRHembvwLi', 'tlYebTPllt', 'eRQez1hSn4', 'ProcessDialogKey', 'tLjygMHjpQ', 'JMBye2G9WM', 'zcayyapds2'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, YIqdnTZwEPBrH1FTHb.csHigh entropy of concatenated method names: 'PrshpVcwco', 'LPchFwowsK', 'TgghDx0pWy', 'sMnhII2dLD', 'ma7h82kj7U', 'FCIh6Zm7Yp', 'OEihl7kIsi', 'iEehJGwXS7', 'ogEh9Lj8Oq', 'ojThbM70ln'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, Ik3l8gyn3JBR4Aphj1.csHigh entropy of concatenated method names: 'Hinx1fO8D', 'f7VdV741K', 'NFKmMcXdo', 'esgVWTaUX', 'jmmWiXonO', 'bZEXHouCy', 'HgiMke3R5y5KU0k9uN', 'QNS4Y3DoymPEhAsuNm', 'nuhTjqBZW', 'BA62eYpkP'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.csHigh entropy of concatenated method names: 'g9O0E7aiAc', 'RCv0vdQk3R', 'cfG0htCNYr', 'WTq0qZLsTM', 'P7o0B3dLm2', 'eM40rewRfy', 'svJ0QbTTTT', 'wBW0HrF7yB', 'pE00UFNTVy', 'iEv0AiMvOj'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, kR2qoEegexqRSRTMPkp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ztY2NKQwPo', 'ldB2RltFyq', 'CZE2C9h3f8', 'TZt2p7QwNd', 'uk32FPdxCP', 'xOn2DOnAvD', 'Cq52In4GWF'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, qrtTTL1JYUqWTG5Lqr.csHigh entropy of concatenated method names: 'wubeQIqdnT', 'vEPeHBrH1F', 'TECeA7oEI5', 'MyueiVNybY', 'rn5ef4Piuv', 'ge9eGreOtO', 'CW9RKsYRoPepWWTLmH', 'CX3BGOku1Z5K0JKS2X', 'O9LeecZ05w', 'B4Qe0l7e62'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, LMveT8COW3NBEw3BD5.csHigh entropy of concatenated method names: 'dPIOZrjL7R', 'ngHOWJhAtc', 'HtuOoIoglF', 'mGcOn7jbFS', 'Mi3OLZUxsn', 'AcdOPC7v87', 'FK2OaPcT96', 'zjcOcwUwxY', 'RRBOSJntB3', 'YMTON9CVBa'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, SSEXIHe1GqRIqTRj6Uw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iNY3MHVNoj', 'y2m321XkkW', 'zKm3jL4KCD', 'XoJ33HGbSE', 'vTe3wlgUPU', 'K2g35GrKIh', 'rj53sOp6K9'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, DfCA8NImunWKhJZGlY.csHigh entropy of concatenated method names: 'iCQ7AChSPA', 'zx57icJYcP', 'ToString', 'lKj7vfnhjM', 'c5y7hHjTuZ', 'gNI7q0OsAe', 'ogi7B3sUKx', 'My27rAWxQ5', 'OSI7QKiEZs', 'kXU7H8roeM'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, ejZGFIWEC7oEI54yuV.csHigh entropy of concatenated method names: 'LOGqd4Yvul', 'R7GqmaQ669', 'H5bqZbpR3r', 'R7hqWUigB2', 'OIqqfPcgmo', 'qm4qG17kce', 'F3Uq70miE5', 'LywqTcPlE5', 'KT9qMuJrlS', 'ykiq2yucjU'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, tMHjpQ9tMB2G9WMxca.csHigh entropy of concatenated method names: 'hBeMoEt3Z8', 'wK1Mn4A9MK', 'bElMYe6aWu', 'y4GMLQlaav', 'vriMP9jvYb', 'rmXMtSrNh0', 'JGFMaeTx0Z', 'zfaMc5Fcw7', 'IKIM4bfwr3', 'Ju7MSX1Iud'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, uG3L8eeeeNpD6r3MYnA.csHigh entropy of concatenated method names: 'Ir62bqvkPh', 'VXu2zJvVBl', 'Orljg6dgxN', 'hZYjexWbME', 'MmbjyN6iOp', 'UDWj05AdmT', 'rdIj1o8lt0', 'mNfjEAp0ya', 'JmrjvD98gx', 'p2KjhK4GGO'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, muvhe9oreOtObp2D1K.csHigh entropy of concatenated method names: 'a3irEAia4J', 'v2srhahlq3', 'H1grBGQNFI', 'QGmrQRuBPu', 'rFhrHxWBVH', 'vcBB8SRuGh', 'QMcB6Wvf3O', 'XVfBlAfrAn', 'DoBBJOXRId', 'jyNB9MQq1F'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, nnWCtK49FAAnUT3Duh.csHigh entropy of concatenated method names: 'SfWQuE84mc', 'Lf7QkP2oEa', 'valQxGjfeQ', 'nksQd1cBEf', 'D40QKPcMIo', 'YHpQmdFe15', 'TygQV99RFR', 'wfeQZ3TXGN', 'nWvQWB5Isj', 'RICQXeLHtM'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, cKx96hzHJ3vxIFm6hw.csHigh entropy of concatenated method names: 'ACm2mB2peL', 'vWN2ZnXCPP', 'W0I2Wlwgas', 'drN2oH06Lg', 'Kcx2nyYUqQ', 'xRS2LjJf7a', 'QPt2P4MCA5', 'AjQ2sdRS2Z', 'l4o2uWwygH', 'UNQ2kw7RnK'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, GTpSuV6ePOHDmoiebI.csHigh entropy of concatenated method names: 'lND7J47LIi', 'hkQ7bRfOCt', 'N4eTg4rEgt', 'gfWTeq2bOn', 'Kwm7N8k2Ni', 'C0B7Rj5XHU', 'TiH7Crg9jq', 'QLj7pX5mv1', 'z087FFqeVZ', 'Pq87DsFcK3'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, Kpds23bRZ3g8UawtCn.csHigh entropy of concatenated method names: 'bLQ2qGkGF2', 'A5P2BboOwe', 'gSX2rCGL0g', 'ptp2QkkTgS', 'lUd2MRPsbK', 'UxF2HTtEG5', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, OybYUnXBlbhQxTn54P.csHigh entropy of concatenated method names: 'r5iBKtGRo0', 'QppBVQEl1y', 'q4dqYqYwR7', 'z6vqLUuxxm', 'N69qPV1SmW', 'dIKqtmLbST', 'GyQqaL9Aro', 'g1sqcEpFoQ', 'Y2Kq4jFkeY', 'y97qSLk4L2'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, T42vxya1RVn0pijrE2.csHigh entropy of concatenated method names: 'rn5QvAuqCO', 'DRpQqSfImm', 'OAuQrCh9id', 'pTFrbvdQIr', 'wKErz0V7Pf', 'AHDQg2Xcq9', 'FDjQegtu2n', 'WAVQyCDJQr', 'JU8Q0fEtwK', 'aHqQ1csBcR'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, x9nb8ZloLFW8ZxgXRj.csHigh entropy of concatenated method names: 'UabMfigQ5e', 'dtrM71qp1y', 'Ij9MMMcISN', 'CKPMjg7bI7', 'euZMwiTkCd', 'BuAMs6t85l', 'Dispose', 'yX6Tvt3SJH', 'xRGThieZjo', 'BG7TqleQ73'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, GJwJcahRxl2glY1GF2.csHigh entropy of concatenated method names: 'Dispose', 'RW8e9ZxgXR', 'G5wynhH9HL', 'fRHembvwLi', 'tlYebTPllt', 'eRQez1hSn4', 'ProcessDialogKey', 'tLjygMHjpQ', 'JMBye2G9WM', 'zcayyapds2'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, YIqdnTZwEPBrH1FTHb.csHigh entropy of concatenated method names: 'PrshpVcwco', 'LPchFwowsK', 'TgghDx0pWy', 'sMnhII2dLD', 'ma7h82kj7U', 'FCIh6Zm7Yp', 'OEihl7kIsi', 'iEehJGwXS7', 'ogEh9Lj8Oq', 'ojThbM70ln'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, Ik3l8gyn3JBR4Aphj1.csHigh entropy of concatenated method names: 'Hinx1fO8D', 'f7VdV741K', 'NFKmMcXdo', 'esgVWTaUX', 'jmmWiXonO', 'bZEXHouCy', 'HgiMke3R5y5KU0k9uN', 'QNS4Y3DoymPEhAsuNm', 'nuhTjqBZW', 'BA62eYpkP'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.csHigh entropy of concatenated method names: 'g9O0E7aiAc', 'RCv0vdQk3R', 'cfG0htCNYr', 'WTq0qZLsTM', 'P7o0B3dLm2', 'eM40rewRfy', 'svJ0QbTTTT', 'wBW0HrF7yB', 'pE00UFNTVy', 'iEv0AiMvOj'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, kR2qoEegexqRSRTMPkp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ztY2NKQwPo', 'ldB2RltFyq', 'CZE2C9h3f8', 'TZt2p7QwNd', 'uk32FPdxCP', 'xOn2DOnAvD', 'Cq52In4GWF'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, qrtTTL1JYUqWTG5Lqr.csHigh entropy of concatenated method names: 'wubeQIqdnT', 'vEPeHBrH1F', 'TECeA7oEI5', 'MyueiVNybY', 'rn5ef4Piuv', 'ge9eGreOtO', 'CW9RKsYRoPepWWTLmH', 'CX3BGOku1Z5K0JKS2X', 'O9LeecZ05w', 'B4Qe0l7e62'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, LMveT8COW3NBEw3BD5.csHigh entropy of concatenated method names: 'dPIOZrjL7R', 'ngHOWJhAtc', 'HtuOoIoglF', 'mGcOn7jbFS', 'Mi3OLZUxsn', 'AcdOPC7v87', 'FK2OaPcT96', 'zjcOcwUwxY', 'RRBOSJntB3', 'YMTON9CVBa'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, SSEXIHe1GqRIqTRj6Uw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iNY3MHVNoj', 'y2m321XkkW', 'zKm3jL4KCD', 'XoJ33HGbSE', 'vTe3wlgUPU', 'K2g35GrKIh', 'rj53sOp6K9'
                    Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, DfCA8NImunWKhJZGlY.csHigh entropy of concatenated method names: 'iCQ7AChSPA', 'zx57icJYcP', 'ToString', 'lKj7vfnhjM', 'c5y7hHjTuZ', 'gNI7q0OsAe', 'ogi7B3sUKx', 'My27rAWxQ5', 'OSI7QKiEZs', 'kXU7H8roeM'
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: Yara matchFile source: Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: 1640000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: 9370000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: A370000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: A580000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: 7C10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: B720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: C720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: D720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3990Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2166Jump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe TID: 7600Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99751Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99186Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99059Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98949Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98838Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98709Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98139Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97920Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97702Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2931059217.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7736, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7736, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2931059217.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7736, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    11
                    Process Injection
                    1
                    Masquerading
                    2
                    OS Credential Dumping
                    111
                    Security Software Discovery
                    Remote Services1
                    Email Collection
                    1
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading
                    1
                    Disable or Modify Tools
                    1
                    Input Capture
                    1
                    Process Discovery
                    Remote Desktop Protocol1
                    Input Capture
                    1
                    Non-Standard Port
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                    Virtualization/Sandbox Evasion
                    1
                    Credentials in Registry
                    141
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin Shares11
                    Archive Collected Data
                    1
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object Model2
                    Data from Local System
                    11
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information
                    LSA Secrets1
                    File and Directory Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information
                    Cached Domain Credentials24
                    System Information Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing
                    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Timestomp
                    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    DLL Side-Loading
                    /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1600779 Sample: rSGJ780097-JWVY8560I-HHWQEU... Startdate: 27/01/2025 Architecture: WINDOWS Score: 100 16 cp8nl.hyperhost.ua 2->16 18 18.31.95.13.in-addr.arpa 2->18 22 Found malware configuration 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 6 other signatures 2->28 7 rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe 3 2->7         started        signatures3 process4 file5 14 rSGJ780097-JWVY856...UUIT6F6.bat.exe.log, ASCII 7->14 dropped 10 RegSvcs.exe 2 7->10         started        process6 dnsIp7 20 cp8nl.hyperhost.ua 185.174.175.187, 49736, 587 ITLDC-NLUA Ukraine 10->20 30 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->30 32 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->32 34 Tries to steal Mail credentials (via file / registry access) 10->34 36 2 other signatures 10->36 signatures8

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe49%VirustotalBrowse
                    rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe100%Joe Sandbox ML
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://www.sakkal.coml0%Avira URL Cloudsafe
                    http://cp8nl.hyperhost.ua0%Avira URL Cloudsafe

                    Download Network PCAP: filteredfull

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    cp8nl.hyperhost.ua
                    185.174.175.187
                    truetrue
                      unknown
                      18.31.95.13.in-addr.arpa
                      unknown
                      unknownfalse
                        high
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmpfalse
                          high
                          http://www.apache.org/licenses/LICENSE-2.0rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.fontbureau.comrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.fontbureau.com/designersGrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://sectigo.com/CPS0RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designers/?rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cn/bTherSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://account.dyn.com/rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                        high
                                        http://ocsp.sectigo.com0RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmpfalse
                                          high
                                          http://www.fontbureau.com/designers?rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.tiro.comrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.fontbureau.com/designersrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.goodfont.co.krrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://www.chiark.greenend.org.uk/~sgtatham/putty/0rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exefalse
                                                    high
                                                    http://www.carterandcone.comlrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.sajatypeworks.comrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.typography.netDrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.fontbureau.com/designers/cabarga.htmlNrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://www.founder.com.cn/cn/cTherSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://www.galapagosdesign.com/staff/dennis.htmrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.founder.com.cn/cnrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://www.fontbureau.com/designers/frere-user.htmlrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://tempuri.org/Polly_PipeDataSet.xsdrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exefalse
                                                                      high
                                                                      http://www.jiyu-kobo.co.jp/rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://www.sakkal.comlrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731518943.0000000005A14000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        http://www.galapagosdesign.com/DPleaserSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://www.fontbureau.com/designers8rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.fonts.comrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://www.sandoll.co.krrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.urwpp.deDPleaserSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://www.zhongyicts.com.cnrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://www.sakkal.comrSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      http://cp8nl.hyperhost.uaRegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs
                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      185.174.175.187
                                                                                      cp8nl.hyperhost.uaUkraine
                                                                                      21100ITLDC-NLUAtrue
                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                      Analysis ID:1600779
                                                                                      Start date and time:2025-01-27 23:31:05 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 6m 9s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:7
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      • Number of executed functions: 25
                                                                                      • Number of non-executed functions: 4
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 13.95.31.18, 4.245.163.56, 13.107.246.61
                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      TimeTypeDescription
                                                                                      17:31:59API Interceptor1x Sleep call for process: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe modified
                                                                                      17:32:00API Interceptor30x Sleep call for process: RegSvcs.exe modified
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      185.174.175.187j66xcjuMKP.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        54B0E7E0Mk.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          EIqeWlQMGR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            Pago_7839389309_8w20w808_723869189.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              Factura_680368_7996260709.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                OPL38839292092-XRT783892910-BI7893923929.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  rOLZ579082-GHJ678992-PLRZ9000W029W00.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    rPGI786687-7688Q21-SWYPPJIK89900.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      SecuriteInfo.com.BackDoor.SpyBotNET.62.1543.28282.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        rPDG8838EHU0309-XYSUJ288399-PQSHXII399.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          cp8nl.hyperhost.uaj66xcjuMKP.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          54B0E7E0Mk.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          EIqeWlQMGR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          Pago_7839389309_8w20w808_723869189.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          Factura_680368_7996260709.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          OPL38839292092-XRT783892910-BI7893923929.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          rOLZ579082-GHJ678992-PLRZ9000W029W00.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          rPGI786687-7688Q21-SWYPPJIK89900.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          SecuriteInfo.com.BackDoor.SpyBotNET.62.1543.28282.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          rPDG8838EHU0309-XYSUJ288399-PQSHXII399.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          ITLDC-NLUADCV78I939025789245.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                          • 185.174.173.22
                                                                                                          j66xcjuMKP.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          54B0E7E0Mk.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 185.174.175.187
                                                                                                          sora.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                          • 5.34.180.213
                                                                                                          PAYMENT RECEIPT.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                          • 185.174.173.22
                                                                                                          Mg5bMQ2lWi.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                                                          • 185.237.206.129
                                                                                                          cNF6fXdjPw.dllGet hashmaliciousSocks5SystemzBrowse
                                                                                                          • 185.237.206.129
                                                                                                          KRdh0OaXqH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                                                          • 185.237.206.129
                                                                                                          wG1fFAzGfH.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                                                          • 185.237.206.129
                                                                                                          AGcC2uK0El.exeGet hashmaliciousPetite Virus, Socks5SystemzBrowse
                                                                                                          • 185.237.206.129
                                                                                                          No context
                                                                                                          No context
                                                                                                          Process:C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1216
                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                          Malicious:true
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):7.27220747866742
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                          File name:rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                                                                                                          File size:1'022'472 bytes
                                                                                                          MD5:38738d1bcce9a92053d0b2ff204da017
                                                                                                          SHA1:5d3e8a4d369e1528ca1d25146199444f5a77cd5f
                                                                                                          SHA256:34444d4292fb1f61fad6019625d22b9b88868e8af67aa0a84f1319ce8d571f01
                                                                                                          SHA512:707fb504942509851ab9f3c801f0e748946f66abaab911d4e1bdc2b896ff71c22e925435e89bde94a20d2e717216fd83af4e9f95b79987e1aa6396ad1d2a9648
                                                                                                          SSDEEP:12288:md0N6S1c2fTZUkwu0KgZVVaQlc+LrQ62iZL9FE0JidOv8rSsNSUr3CaNxP88DO8v:E00SXfOKGHc+LU622Ji4v8rkUr3CaP
                                                                                                          TLSH:0D254BDC3620339ECC67D579CA686C74E7603476630B629390D713EA7A4C693DF18AA3
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T5................0..Z..........^y... ........@.. ....................................@................................
                                                                                                          Icon Hash:90cececece8e8eb0
                                                                                                          Entrypoint:0x4f795e
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:true
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x961E3554 [Sat Oct 23 00:35:32 2049 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                          Signature Valid:false
                                                                                                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                                                          Error Number:-2146869232
                                                                                                          Not Before, Not After
                                                                                                          • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                                                                          Subject Chain
                                                                                                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                                          Version:3
                                                                                                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                                          Serial:7C1118CBBADC95DA3752C46E47A27438
                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xf79100x4b.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x5a0.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0xf64000x3608
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000xf59640xf5a000213afcc0e6a3834cb74c3c1655c2968False0.7188245467557252data7.264339353751273IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0xf80000x5a00x600abd2f2d9005eef755e452600a3fdc979False0.4192708333333333data4.062719011898018IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0xfa0000xc0x200b847ea7d37de73259608fb8378ad687bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_VERSION0xf80a00x314data0.43274111675126903
                                                                                                          RT_MANIFEST0xf83b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Download Network PCAP: filteredfull

                                                                                                          • Total Packets: 27
                                                                                                          • 587 undefined
                                                                                                          • 53 (DNS)
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 27, 2025 23:32:01.541935921 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:01.546753883 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:01.546833038 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:02.425179005 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:02.450242043 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:02.455075026 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:02.629668951 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:02.635289907 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:02.640141964 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:02.816309929 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:02.847008944 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:02.851778030 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.035449982 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.035470009 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.035485029 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.035500050 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.035514116 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.035542965 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:03.035635948 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:03.126357079 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.141578913 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:03.146964073 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.332617998 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.351502895 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:03.356369019 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.530837059 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.531721115 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:03.536551952 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.711728096 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.712143898 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:03.716999054 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.906825066 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:03.907104969 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:03.911989927 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.086637020 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.087886095 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:04.092730999 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.285777092 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.285988092 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:04.290844917 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.465837002 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.466646910 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:04.466646910 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:04.466646910 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:04.466648102 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:04.471556902 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.471573114 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.471911907 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.780714035 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:32:04.828782082 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:32:30.679271936 CET5366753192.168.2.4162.159.36.2
                                                                                                          Jan 27, 2025 23:32:30.684179068 CET5353667162.159.36.2192.168.2.4
                                                                                                          Jan 27, 2025 23:32:30.684264898 CET5366753192.168.2.4162.159.36.2
                                                                                                          Jan 27, 2025 23:32:30.693459034 CET5353667162.159.36.2192.168.2.4
                                                                                                          Jan 27, 2025 23:32:31.141273975 CET5366753192.168.2.4162.159.36.2
                                                                                                          Jan 27, 2025 23:32:31.146316051 CET5353667162.159.36.2192.168.2.4
                                                                                                          Jan 27, 2025 23:32:31.146387100 CET5366753192.168.2.4162.159.36.2
                                                                                                          Jan 27, 2025 23:33:41.501322031 CET49736587192.168.2.4185.174.175.187
                                                                                                          Jan 27, 2025 23:33:41.506323099 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:33:41.681435108 CET58749736185.174.175.187192.168.2.4
                                                                                                          Jan 27, 2025 23:33:41.686530113 CET49736587192.168.2.4185.174.175.187
                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 27, 2025 23:32:01.479782104 CET6094253192.168.2.41.1.1.1
                                                                                                          Jan 27, 2025 23:32:01.535861969 CET53609421.1.1.1192.168.2.4
                                                                                                          Jan 27, 2025 23:32:30.675296068 CET5356339162.159.36.2192.168.2.4
                                                                                                          Jan 27, 2025 23:32:31.154649019 CET4992153192.168.2.41.1.1.1
                                                                                                          Jan 27, 2025 23:32:31.178714037 CET53499211.1.1.1192.168.2.4
                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jan 27, 2025 23:32:01.479782104 CET192.168.2.41.1.1.10x6917Standard query (0)cp8nl.hyperhost.uaA (IP address)IN (0x0001)false
                                                                                                          Jan 27, 2025 23:32:31.154649019 CET192.168.2.41.1.1.10xf61fStandard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jan 27, 2025 23:32:01.535861969 CET1.1.1.1192.168.2.40x6917No error (0)cp8nl.hyperhost.ua185.174.175.187A (IP address)IN (0x0001)false
                                                                                                          Jan 27, 2025 23:32:31.178714037 CET1.1.1.1192.168.2.40xf61fName error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                          Jan 27, 2025 23:32:02.425179005 CET58749736185.174.175.187192.168.2.4220-cp8nl.hyperhost.ua ESMTP Exim 4.98 #2 Tue, 28 Jan 2025 00:32:02 +0200
                                                                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                                                                          220 and/or bulk e-mail.
                                                                                                          Jan 27, 2025 23:32:02.450242043 CET49736587192.168.2.4185.174.175.187EHLO 364339
                                                                                                          Jan 27, 2025 23:32:02.629668951 CET58749736185.174.175.187192.168.2.4250-cp8nl.hyperhost.ua Hello 364339 [8.46.123.189]
                                                                                                          250-SIZE 52428800
                                                                                                          250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                                                                          250-8BITMIME
                                                                                                          250-PIPELINING
                                                                                                          250-PIPECONNECT
                                                                                                          250-STARTTLS
                                                                                                          250 HELP
                                                                                                          Jan 27, 2025 23:32:02.635289907 CET49736587192.168.2.4185.174.175.187STARTTLS
                                                                                                          Jan 27, 2025 23:32:02.816309929 CET58749736185.174.175.187192.168.2.4220 TLS go ahead

                                                                                                          Click to jump to process

                                                                                                          Click to jump to process

                                                                                                          • File
                                                                                                          • Registry
                                                                                                          • Network

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Target ID:0
                                                                                                          Start time:17:31:57
                                                                                                          Start date:27/01/2025
                                                                                                          Path:C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe"
                                                                                                          Imagebase:0xbc0000
                                                                                                          File size:1'022'472 bytes
                                                                                                          MD5 hash:38738D1BCCE9A92053D0B2FF204DA017
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:true
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                          Target ID:2
                                                                                                          Start time:17:31:59
                                                                                                          Start date:27/01/2025
                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                          Imagebase:0x5d0000
                                                                                                          File size:45'984 bytes
                                                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2931059217.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:high
                                                                                                          Has exited:false
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                          There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                          Execution Graph

                                                                                                          Execution Coverage

                                                                                                          Dynamic/Packed Code Coverage

                                                                                                          Signature Coverage

                                                                                                          Execution Coverage:10.3%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:159
                                                                                                          Total number of Limit Nodes:15
                                                                                                          Show Legend
                                                                                                          Hide Nodes/Edges
                                                                                                          execution_graph 25557 16846c8 25558 16846da 25557->25558 25563 1684718 25558->25563 25559 16846e6 25567 1683e7c 25559->25567 25561 1684705 25564 1684734 25563->25564 25565 168473f 25564->25565 25571 1684808 25564->25571 25565->25559 25568 1683e87 25567->25568 25588 1685b4c 25568->25588 25570 16870ee 25570->25561 25572 168480d 25571->25572 25576 1684d20 25572->25576 25580 1684d10 25572->25580 25578 1684d47 25576->25578 25577 1684e24 25577->25577 25578->25577 25584 168490c 25578->25584 25582 1684d47 25580->25582 25581 1684e24 25581->25581 25582->25581 25583 168490c CreateActCtxA 25582->25583 25583->25581 25585 1685db0 CreateActCtxA 25584->25585 25587 1685e73 25585->25587 25589 1685b57 25588->25589 25592 1685b7c 25589->25592 25591 1687275 25591->25570 25593 1685b87 25592->25593 25596 1685bac 25593->25596 25595 168735a 25595->25591 25597 1685bb7 25596->25597 25600 1685bdc 25597->25600 25599 168744d 25599->25595 25601 1685be7 25600->25601 25603 1688abb 25601->25603 25607 168ad58 25601->25607 25602 1688af9 25602->25599 25603->25602 25611 168ce50 25603->25611 25616 168ce41 25603->25616 25621 168b198 25607->25621 25624 168b189 25607->25624 25608 168ad6e 25608->25603 25612 168ce71 25611->25612 25613 168ce95 25612->25613 25634 168d3f8 25612->25634 25638 168d408 25612->25638 25613->25602 25617 168ce71 25616->25617 25618 168ce95 25617->25618 25619 168d3f8 GetModuleHandleW 25617->25619 25620 168d408 GetModuleHandleW 25617->25620 25618->25602 25619->25618 25620->25618 25629 168b280 25621->25629 25622 168b1a7 25622->25608 25625 168b131 25624->25625 25626 168b192 25624->25626 25628 168b280 GetModuleHandleW 25626->25628 25627 168b1a7 25627->25608 25628->25627 25630 168b2c4 25629->25630 25631 168b2a1 25629->25631 25630->25622 25631->25630 25632 168b4c8 GetModuleHandleW 25631->25632 25633 168b4f5 25632->25633 25633->25622 25635 168d415 25634->25635 25636 168d44f 25635->25636 25642 168d1d0 25635->25642 25636->25613 25639 168d415 25638->25639 25640 168d44f 25639->25640 25641 168d1d0 GetModuleHandleW 25639->25641 25640->25613 25641->25640 25643 168d1d5 25642->25643 25645 168dd60 25643->25645 25646 168d2fc 25643->25646 25645->25645 25647 168d307 25646->25647 25648 1685bdc GetModuleHandleW 25647->25648 25649 168ddcf 25648->25649 25649->25645 25543 168d520 25544 168d566 25543->25544 25548 168d6ef 25544->25548 25551 168d700 25544->25551 25545 168d653 25549 168d72e 25548->25549 25554 168d298 25548->25554 25549->25545 25552 168d298 DuplicateHandle 25551->25552 25553 168d72e 25552->25553 25553->25545 25555 168d768 DuplicateHandle 25554->25555 25556 168d7fe 25555->25556 25556->25549 25650 78502ef 25652 7850201 25650->25652 25653 78502f3 25650->25653 25651 785027b 25652->25651 25657 7850630 25652->25657 25664 7850640 25652->25664 25654 7850264 25658 7850633 25657->25658 25660 78505b9 25657->25660 25658->25660 25669 7850680 25658->25669 25675 7850673 25658->25675 25681 78506f0 25658->25681 25659 785065e 25659->25654 25660->25654 25666 7850680 2 API calls 25664->25666 25667 78506f0 2 API calls 25664->25667 25668 7850673 2 API calls 25664->25668 25665 785065e 25665->25654 25666->25665 25667->25665 25668->25665 25670 78506b1 25669->25670 25671 78506de 25670->25671 25673 78506f0 2 API calls 25670->25673 25692 7850700 25670->25692 25698 78507d8 25670->25698 25671->25659 25673->25671 25676 78506b1 25675->25676 25677 78506de 25676->25677 25678 7850700 2 API calls 25676->25678 25679 78506f0 2 API calls 25676->25679 25680 78507d8 2 API calls 25676->25680 25677->25659 25678->25677 25679->25677 25680->25677 25682 7850679 25681->25682 25684 78506f3 25681->25684 25683 7850601 25682->25683 25686 7850700 2 API calls 25682->25686 25687 78506f0 2 API calls 25682->25687 25688 78507d8 2 API calls 25682->25688 25683->25659 25685 7850736 25684->25685 25689 7850ae0 2 API calls 25684->25689 25690 7850ad3 2 API calls 25684->25690 25691 7850c4b 2 API calls 25684->25691 25685->25659 25686->25683 25687->25683 25688->25683 25689->25684 25690->25684 25691->25684 25693 7850721 25692->25693 25694 7850736 25693->25694 25704 7850ad3 25693->25704 25713 7850ae0 25693->25713 25721 7850c4b 25693->25721 25694->25671 25699 7850761 25698->25699 25700 78507db 25698->25700 25699->25698 25701 7850ae0 2 API calls 25699->25701 25702 7850ad3 2 API calls 25699->25702 25703 7850c4b 2 API calls 25699->25703 25700->25671 25701->25699 25702->25699 25703->25699 25705 7850a61 25704->25705 25707 7850adb 25704->25707 25705->25693 25706 7850b19 25706->25693 25707->25706 25708 7850b4f 25707->25708 25712 7850c4b 2 API calls 25707->25712 25727 785115f 25708->25727 25731 7851170 25708->25731 25709 7850c2b 25709->25693 25712->25708 25715 7850b01 25713->25715 25714 7850b19 25714->25693 25715->25714 25716 7850b4f 25715->25716 25718 7850c4b 2 API calls 25715->25718 25719 7851170 2 API calls 25716->25719 25720 785115f 2 API calls 25716->25720 25717 7850c2b 25717->25693 25718->25716 25719->25717 25720->25717 25722 7850bd9 25721->25722 25724 7850c53 25721->25724 25725 7851170 2 API calls 25722->25725 25726 785115f 2 API calls 25722->25726 25723 7850c2b 25723->25693 25724->25693 25725->25723 25726->25723 25735 78511a0 25727->25735 25739 78511a8 25727->25739 25728 785118d 25728->25709 25732 785118d 25731->25732 25733 78511a0 DrawTextExW 25731->25733 25734 78511a8 DrawTextExW 25731->25734 25732->25709 25733->25732 25734->25732 25736 78511a8 DrawTextExW 25735->25736 25738 785124e 25736->25738 25738->25728 25740 78511f6 DrawTextExW 25739->25740 25742 785124e 25740->25742 25742->25728

                                                                                                          Executed Functions

                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 885cd1ed56e7af50b303198869d0e5dbd8646e4016cbbe18c9f557197b10fe6a
                                                                                                          • Instruction ID: d448b97d6b80f44f6626ac8c598df59dd272474a5b93d8163a140c376d7d6f44
                                                                                                          • Opcode Fuzzy Hash: 885cd1ed56e7af50b303198869d0e5dbd8646e4016cbbe18c9f557197b10fe6a
                                                                                                          • Instruction Fuzzy Hash: A34270B4E11219CFDB54CFA9C984B9DBBB2FF58310F1481A9E909A7355DB30AA81CF50
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 52704586538962c7e71f75d4cd857ad064648583870d1c650050a7ecf4d794e4
                                                                                                          • Instruction ID: fa729cdd6ef2272ac79e80f1fda7cae4e8f66a874a4e45212764c177a7db9119
                                                                                                          • Opcode Fuzzy Hash: 52704586538962c7e71f75d4cd857ad064648583870d1c650050a7ecf4d794e4
                                                                                                          • Instruction Fuzzy Hash: C232E2B0901219CFDB54DF69C580A8EFFB2BF48315F55D299E408AB212DB30E985CFA5
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 059ee99d08e58a3204196aa277613c686abf6905600611f2cd7d5115c119def8
                                                                                                          • Instruction ID: 066266b94e48adf95a97cb31d10010ffb6fcee7fd47184fb58e84a218c726006
                                                                                                          • Opcode Fuzzy Hash: 059ee99d08e58a3204196aa277613c686abf6905600611f2cd7d5115c119def8
                                                                                                          • Instruction Fuzzy Hash: BB61A5B5E01218CFDB18CFAAD984B9DBBB2FF88310F14C1A9E909A7254DB319941CF50
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a4c58b84cb8a039bf4ea456cff3e0d8f8e4eb6b322fac21ec113b8074fe99a52
                                                                                                          • Instruction ID: 2ec60469e32f2974f1ff63055bc7ac9d86d5df5f7028229f7614cadf933eb8b1
                                                                                                          • Opcode Fuzzy Hash: a4c58b84cb8a039bf4ea456cff3e0d8f8e4eb6b322fac21ec113b8074fe99a52
                                                                                                          • Instruction Fuzzy Hash: 985193B5D0061D9FDB04CFEAC9446EEFBB2BF89300F14802AE819AB254DB745A06CF50
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 403b2606801613186b8d671cd07147f6b3c43a2f5f77cc4cbb050c1c5d981987
                                                                                                          • Instruction ID: 279da560e649fcfd45deaa16fb0524754813d62a800a0019d6f8add18ca42048
                                                                                                          • Opcode Fuzzy Hash: 403b2606801613186b8d671cd07147f6b3c43a2f5f77cc4cbb050c1c5d981987
                                                                                                          • Instruction Fuzzy Hash: 5241CEB1E006198FEB58DF6BC84079EBBF2BF99300F14D5AAD55CE6254EB300A458F51
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4769bb6c77f90522f124c28a31b7d8e9e792d88e4b62e9d109485ec50f9b4f02
                                                                                                          • Instruction ID: 032c55e4bb196d9905f236a1528c7e0185ef10d1f1f2e796f88dfaea52a2b0bf
                                                                                                          • Opcode Fuzzy Hash: 4769bb6c77f90522f124c28a31b7d8e9e792d88e4b62e9d109485ec50f9b4f02
                                                                                                          • Instruction Fuzzy Hash: E14193B5E006199FDB08DFEAD98469EFBF2AF88300F14C02AD819AB254DB745A45CF40

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 375 168b280-168b29f 376 168b2cb-168b2cf 375->376 377 168b2a1-168b2ae call 1689d04 375->377 378 168b2d1-168b2db 376->378 379 168b2e3-168b324 376->379 382 168b2b0 377->382 383 168b2c4 377->383 378->379 386 168b331-168b33f 379->386 387 168b326-168b32e 379->387 430 168b2b6 call 168b528 382->430 431 168b2b6 call 168b518 382->431 383->376 389 168b341-168b346 386->389 390 168b363-168b365 386->390 387->386 388 168b2bc-168b2be 388->383 393 168b400-168b4c0 388->393 391 168b348-168b34f call 168aef4 389->391 392 168b351 389->392 394 168b368-168b36f 390->394 396 168b353-168b361 391->396 392->396 425 168b4c8-168b4f3 GetModuleHandleW 393->425 426 168b4c2-168b4c5 393->426 397 168b37c-168b383 394->397 398 168b371-168b379 394->398 396->394 400 168b390-168b399 call 168af04 397->400 401 168b385-168b38d 397->401 398->397 406 168b39b-168b3a3 400->406 407 168b3a6-168b3ab 400->407 401->400 406->407 409 168b3c9-168b3d6 407->409 410 168b3ad-168b3b4 407->410 416 168b3d8-168b3f6 409->416 417 168b3f9-168b3ff 409->417 410->409 411 168b3b6-168b3c6 call 168af14 call 168af24 410->411 411->409 416->417 427 168b4fc-168b510 425->427 428 168b4f5-168b4fb 425->428 426->425 428->427 430->388 431->388
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0168B4E6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleModule
                                                                                                          • String ID: /$q5
                                                                                                          • API String ID: 4139908857-2261123804
                                                                                                          • Opcode ID: 7041387c47318c5a2c5871a71edf7438a9433da0f1a75e4e023d6fe7fb939c7b
                                                                                                          • Instruction ID: 64f3092a1f78dc0ebf15dc008e33e66f3363a126cb321ad4cdd2b3d6e02c03b1
                                                                                                          • Opcode Fuzzy Hash: 7041387c47318c5a2c5871a71edf7438a9433da0f1a75e4e023d6fe7fb939c7b
                                                                                                          • Instruction Fuzzy Hash: 68814570A00B058FDB25EF6AD95479ABBF1FF48200F108A2ED486D7B50D775E945CB90

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 432 1685da4-1685e71 CreateActCtxA 434 1685e7a-1685ed4 432->434 435 1685e73-1685e79 432->435 442 1685ee3-1685ee7 434->442 443 1685ed6-1685ed9 434->443 435->434 444 1685ef8 442->444 445 1685ee9-1685ef5 442->445 443->442 447 1685ef9 444->447 445->444 447->447
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 01685E61
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID: /$q5
                                                                                                          • API String ID: 2289755597-2261123804
                                                                                                          • Opcode ID: 8f521859da26bd081eefde49569c6cd1430973580dcee6af48cbf4308a20f986
                                                                                                          • Instruction ID: 9b1d56575b53f9a89f7b9a11d3bead3f4c9492bd8a30b2afc94485acb993a7e8
                                                                                                          • Opcode Fuzzy Hash: 8f521859da26bd081eefde49569c6cd1430973580dcee6af48cbf4308a20f986
                                                                                                          • Instruction Fuzzy Hash: C741E1B0C00219CEDB24DFA9C844BDDFBB5BF49304F24819AD509AB255DB755946CF90

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 448 168490c-1685e71 CreateActCtxA 451 1685e7a-1685ed4 448->451 452 1685e73-1685e79 448->452 459 1685ee3-1685ee7 451->459 460 1685ed6-1685ed9 451->460 452->451 461 1685ef8 459->461 462 1685ee9-1685ef5 459->462 460->459 464 1685ef9 461->464 462->461 464->464
                                                                                                          APIs
                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 01685E61
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: Create
                                                                                                          • String ID: /$q5
                                                                                                          • API String ID: 2289755597-2261123804
                                                                                                          • Opcode ID: fd14b575fc25334699f536bbf22bc53000860f13d02c30b2b627d6080ea87299
                                                                                                          • Instruction ID: 1ec6fa2de6816326d5ae6c8777cbcd023cf58e6b7af2584b1f40efb602caf716
                                                                                                          • Opcode Fuzzy Hash: fd14b575fc25334699f536bbf22bc53000860f13d02c30b2b627d6080ea87299
                                                                                                          • Instruction Fuzzy Hash: F841C1B0C00719CBDB24EFA9C848B9EFBB5BF48304F24816AD509AB255DB75A945CF90

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 465 78511a0-78511f4 467 78511f6-78511fc 465->467 468 78511ff-785120e 465->468 467->468 469 7851210 468->469 470 7851213-785124c DrawTextExW 468->470 469->470 471 7851255-7851272 470->471 472 785124e-7851254 470->472 472->471
                                                                                                          APIs
                                                                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0785123F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DrawText
                                                                                                          • String ID: /$q5
                                                                                                          • API String ID: 2175133113-2261123804
                                                                                                          • Opcode ID: 0360b8c863689b6635626f4716cd22207e3a98cc18fb28b27f22c15e61b592dd
                                                                                                          • Instruction ID: f9e3802ff31dea7c3b950e4be6c225de6bdd1d6b190867344c778f289c93a4ae
                                                                                                          • Opcode Fuzzy Hash: 0360b8c863689b6635626f4716cd22207e3a98cc18fb28b27f22c15e61b592dd
                                                                                                          • Instruction Fuzzy Hash: 9531C0B5D013599FDB10CF9AD884ADEFBF5FB58320F14842AE919A7210D774A944CFA0

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 475 78511a8-78511f4 476 78511f6-78511fc 475->476 477 78511ff-785120e 475->477 476->477 478 7851210 477->478 479 7851213-785124c DrawTextExW 477->479 478->479 480 7851255-7851272 479->480 481 785124e-7851254 479->481 481->480
                                                                                                          APIs
                                                                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0785123F
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DrawText
                                                                                                          • String ID: /$q5
                                                                                                          • API String ID: 2175133113-2261123804
                                                                                                          • Opcode ID: 4ffb1c93b10cebefcc6cda7b62487542841efe5b1164c0d47c769af0bf07a09a
                                                                                                          • Instruction ID: 7f60957f63f51db5f938d5f9c51fc023a898b011883e469a018dcaedd517d0c1
                                                                                                          • Opcode Fuzzy Hash: 4ffb1c93b10cebefcc6cda7b62487542841efe5b1164c0d47c769af0bf07a09a
                                                                                                          • Instruction Fuzzy Hash: C021CEB5D0024A9FDB10CF9AD884A9EFBF5FB58320F14842AE919A7210D774A944CFA0

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 484 168d298-168d7fc DuplicateHandle 486 168d7fe-168d804 484->486 487 168d805-168d822 484->487 486->487
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0168D72E,?,?,?,?,?), ref: 0168D7EF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID: /$q5
                                                                                                          • API String ID: 3793708945-2261123804
                                                                                                          • Opcode ID: 384025a9f9f5dadd8f563de538f9b5170c45b61539d1edbbf3af180882fdbe07
                                                                                                          • Instruction ID: 320b586034b515096ef4736d7ea1fbe63a23ffcc251a8808125de0e44274ed4b
                                                                                                          • Opcode Fuzzy Hash: 384025a9f9f5dadd8f563de538f9b5170c45b61539d1edbbf3af180882fdbe07
                                                                                                          • Instruction Fuzzy Hash: CA21E3B59002589FDB10DF9AD984AEEBBF4EB48320F14805AE918A7350D374A940CFA4

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 490 168d760-168d762 491 168d768-168d7fc DuplicateHandle 490->491 492 168d7fe-168d804 491->492 493 168d805-168d822 491->493 492->493
                                                                                                          APIs
                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0168D72E,?,?,?,?,?), ref: 0168D7EF
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DuplicateHandle
                                                                                                          • String ID: /$q5
                                                                                                          • API String ID: 3793708945-2261123804
                                                                                                          • Opcode ID: 33ee396b501b99389ba179e4a03344c33531d0ab4d94202718d310ac40f443de
                                                                                                          • Instruction ID: 0a416436fa6cb3308b1bc73cc77af83edc0ef5fc10cdbff290c21a7a7fef4388
                                                                                                          • Opcode Fuzzy Hash: 33ee396b501b99389ba179e4a03344c33531d0ab4d94202718d310ac40f443de
                                                                                                          • Instruction Fuzzy Hash: 2E21E3B59002589FDB10DF9AD984ADEBFF4FB48310F14805AE918A7350D374A944CFA4

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 496 168b480-168b4c0 497 168b4c8-168b4f3 GetModuleHandleW 496->497 498 168b4c2-168b4c5 496->498 499 168b4fc-168b510 497->499 500 168b4f5-168b4fb 497->500 498->497 500->499
                                                                                                          APIs
                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0168B4E6
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: HandleModule
                                                                                                          • String ID: /$q5
                                                                                                          • API String ID: 4139908857-2261123804
                                                                                                          • Opcode ID: 9b1b5a73741cd595ee618be0014c95d04b5b5abcda97e573da64a0965d9cb353
                                                                                                          • Instruction ID: b76a607785d7d8da047efe6ec5cfba4d42cecf7f1bee11c319c3f645da368b24
                                                                                                          • Opcode Fuzzy Hash: 9b1b5a73741cd595ee618be0014c95d04b5b5abcda97e573da64a0965d9cb353
                                                                                                          • Instruction Fuzzy Hash: 1D1110B5C002498FDB10DF9AD844ADEFBF4AF88320F10852AD918B7310C379A545CFA1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726115588.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_149d000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ba254b620f8b1a432f07c598f401b4c4af8db4d45cfdf2b32ff6235a34d2ce0c
                                                                                                          • Instruction ID: 5df5003fba3e6a1ad75ec77d47da7e3f44514bd7292b070250c24675c3c820e3
                                                                                                          • Opcode Fuzzy Hash: ba254b620f8b1a432f07c598f401b4c4af8db4d45cfdf2b32ff6235a34d2ce0c
                                                                                                          • Instruction Fuzzy Hash: A321D371904240DFDF05DF58DAC0B27BF65FB88328F24C56AE9094B266C336D456CBA1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726165396.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_14ad000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: de70672741327aaa91a555f0e53be06375be3892bb2f09987b5d7b2b5f99c6a9
                                                                                                          • Instruction ID: 49c7dfee171f02636e3edd78d7cd183b37fcf44ed0b84e9f5b1d134e4fd198fc
                                                                                                          • Opcode Fuzzy Hash: de70672741327aaa91a555f0e53be06375be3892bb2f09987b5d7b2b5f99c6a9
                                                                                                          • Instruction Fuzzy Hash: CA2145B0988200DFCB15DF58D980B17BFA1EB94318F60C56ED80A4B766C336C407CA61
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726165396.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_14ad000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c6cb3d90a5a6d46e52f2cb59a07081bfa1a1da166c751c7f22d0472b72faae96
                                                                                                          • Instruction ID: df4d5c2fef20c8b3906b1a128d60f34fc85b318e598a2d57346a082642f46e98
                                                                                                          • Opcode Fuzzy Hash: c6cb3d90a5a6d46e52f2cb59a07081bfa1a1da166c751c7f22d0472b72faae96
                                                                                                          • Instruction Fuzzy Hash: 67214972904200DFDB01DF98C9C0B26BBA5FB94324F60C57ED8094B762C336D446CA61
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726165396.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_14ad000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ce64fa4f702d7e3a5767d02b8e5288fae121a3625bf4026ded585e94b23bd7c0
                                                                                                          • Instruction ID: b7bd555bf5cc8fdc2830847733ccbb3699bcdf8aae46d548d9e1c56d8f389bf1
                                                                                                          • Opcode Fuzzy Hash: ce64fa4f702d7e3a5767d02b8e5288fae121a3625bf4026ded585e94b23bd7c0
                                                                                                          • Instruction Fuzzy Hash: A92192755493808FDB03CF24D594716BF71EB46218F29C5DBD8498F6A7C33A980ACB62
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726115588.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_149d000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                          • Instruction ID: 0099c2afd18ca1151c59fd722ac17aa3116df418d4cf03236be6504fecd6866e
                                                                                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                          • Instruction Fuzzy Hash: 5511E176804280CFCF02CF54D9C4B16BF71FB84328F24C6AAD8090B266C336D45ACBA1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726165396.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_14ad000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction ID: e6cbd3559f1dde374f7964b6be68b842111be56e9dcb0ec2087e137f35d193f9
                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction Fuzzy Hash: DC11BB76904280DFDB02CF54C5C4B16BFA1FB84224F24C6AAD8494B7A6C33AD40ACB61
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726115588.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_149d000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f98c399e1fad4efd4d207cf9c5562f2ee69b2e1ed170e7e26d75fa01de6b48ba
                                                                                                          • Instruction ID: bdb2c2d58324d44a373d3583bbc9ad0c5fecc12a4eacf7ad4454aadf10a0f4a9
                                                                                                          • Opcode Fuzzy Hash: f98c399e1fad4efd4d207cf9c5562f2ee69b2e1ed170e7e26d75fa01de6b48ba
                                                                                                          • Instruction Fuzzy Hash: AA012B314083809AEB115EAACDC4B6FBF98DF41324F08C5ABED080F2A6D239D841CA71
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726115588.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_149d000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e60b95af4d4c446f2fca5b27a51cbbe340eb9792bebfa749234b61c9850d3940
                                                                                                          • Instruction ID: dbf94497bc7f3c4e35a31bf423fbdf882313a978f9b9256091cc92755d897d95
                                                                                                          • Opcode Fuzzy Hash: e60b95af4d4c446f2fca5b27a51cbbe340eb9792bebfa749234b61c9850d3940
                                                                                                          • Instruction Fuzzy Hash: 73F062754043849EEB118E5AD888B67FFA8EF51634F18C49AED085E296C2799844CAB1

                                                                                                          Non-executed Functions

                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5617e34ffa750ade872e51ca4900a65e22504a7ade4b1391eff47df7ce28e4f2
                                                                                                          • Instruction ID: 579a89d706f7466c5229335b0fe2ee1f1c6a8687a3a0c4425eb133dbb96e1d4d
                                                                                                          • Opcode Fuzzy Hash: 5617e34ffa750ade872e51ca4900a65e22504a7ade4b1391eff47df7ce28e4f2
                                                                                                          • Instruction Fuzzy Hash: BEE1D9B4E041198FCB14CFA9C980AAEFBB2FF49305F248169E815EB355D735A941CF61
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 661db438b3e2d8383478f70eac0f06f3dfa76f5ece3cd3581c829c132583049a
                                                                                                          • Instruction ID: c9b432a831c00d958a10d22285132e86b54d20041fb05d239957805f77728b56
                                                                                                          • Opcode Fuzzy Hash: 661db438b3e2d8383478f70eac0f06f3dfa76f5ece3cd3581c829c132583049a
                                                                                                          • Instruction Fuzzy Hash: 13A17032E0021ADFCF15EFB4C84459EBBB2FF85300B1546AAE901AB265DB32D956CB50
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 53b80534d1f58865899c019596d162ac23b869b0c04c402ecb0c66398dd3b262
                                                                                                          • Instruction ID: 344759bfa0ce01212af3e8c9ae725a574c4dfb35b173d10a4b84ca54d2298199
                                                                                                          • Opcode Fuzzy Hash: 53b80534d1f58865899c019596d162ac23b869b0c04c402ecb0c66398dd3b262
                                                                                                          • Instruction Fuzzy Hash: 097183B4E016198FCB04DFAAC58499EFBF2BF89300F14D166E818EB215DB34A945CF50
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 731fadf04cf45675f6f853baf8dad31c0999fcd7405d40409f2aff27b1020481
                                                                                                          • Instruction ID: 07a0a0e4d6554efec760eaa460fab39626a38744e2136a01a11ff44dd50478ac
                                                                                                          • Opcode Fuzzy Hash: 731fadf04cf45675f6f853baf8dad31c0999fcd7405d40409f2aff27b1020481
                                                                                                          • Instruction Fuzzy Hash: D05174B5E006198FDB08DFAAC98469EFBF2BF88300F14C16AD858EB354DB3459468F50

                                                                                                          Execution Graph

                                                                                                          Execution Coverage

                                                                                                          Dynamic/Packed Code Coverage

                                                                                                          Signature Coverage

                                                                                                          Execution Coverage:12.4%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:10
                                                                                                          Total number of Limit Nodes:0
                                                                                                          Show Legend
                                                                                                          Hide Nodes/Edges
                                                                                                          execution_graph 14261 103fd70 14265 103fd93 14261->14265 14269 103fda0 14261->14269 14262 103fd8a 14266 103fda0 14265->14266 14267 103fe3a CallWindowProcW 14266->14267 14268 103fde9 14266->14268 14267->14268 14268->14262 14270 103fde2 14269->14270 14271 103fde9 14269->14271 14270->14271 14272 103fe3a CallWindowProcW 14270->14272 14271->14262 14272->14271

                                                                                                          Executed Functions

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1129 103fda0-103fddc 1130 103fde2-103fde7 1129->1130 1131 103fe8c-103feac 1129->1131 1132 103fe3a-103fe72 CallWindowProcW 1130->1132 1133 103fde9-103fe20 1130->1133 1137 103feaf-103febc 1131->1137 1134 103fe74-103fe7a 1132->1134 1135 103fe7b-103fe8a 1132->1135 1140 103fe22-103fe28 1133->1140 1141 103fe29-103fe38 1133->1141 1134->1135 1135->1137 1140->1141 1141->1137
                                                                                                          APIs
                                                                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 0103FE61
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.2930604000.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_2_2_1030000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CallProcWindow
                                                                                                          • String ID:
                                                                                                          • API String ID: 2714655100-0
                                                                                                          • Opcode ID: ce9cc356d10705ca6e05bd6a573a11c64db8cc7cf9ec0067d52633a48c04a9ab
                                                                                                          • Instruction ID: 5f70914c7dd7f5ac625d5c50bacbe22ede0a0c55ce133b930a0dd3b5fafa2b32
                                                                                                          • Opcode Fuzzy Hash: ce9cc356d10705ca6e05bd6a573a11c64db8cc7cf9ec0067d52633a48c04a9ab
                                                                                                          • Instruction Fuzzy Hash: B74129B5A00349CFCB14CF99C448AAABBF9FF88714F24C499D559AB321D734A841CFA1
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.2929607842.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_2_2_c9d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8b73a901c5d0cc71ff59a1401b25c89385a56ca7c266e4b02668f1808038a632
                                                                                                          • Instruction ID: 3ef893f4780e5001570460891353eff0779d49e1badbe87a1f51b980230354bf
                                                                                                          • Opcode Fuzzy Hash: 8b73a901c5d0cc71ff59a1401b25c89385a56ca7c266e4b02668f1808038a632
                                                                                                          • Instruction Fuzzy Hash: 6F316B7550D3C49FCB03CF24C994711BF71AB46214F29C5EBD9898F2A3C23A981ACB62
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000002.00000002.2929607842.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_2_2_c9d000_RegSvcs.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cb131bee52b430fa632ae2220fdff145a31595c344cadfa47036e0c5d64c6ca6
                                                                                                          • Instruction ID: e9266c49723c0a16e5dabf3835be5d867779473620c758cf2bf98b6a5b676ff3
                                                                                                          • Opcode Fuzzy Hash: cb131bee52b430fa632ae2220fdff145a31595c344cadfa47036e0c5d64c6ca6
                                                                                                          • Instruction Fuzzy Hash: FB210471504304DFDF14DF14DAC8B26BBA5FB84314F24C56DD80A5B296C33AD847CA62