Edit tour

Windows Analysis Report
rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Overview

General Information

Sample name:	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Analysis ID:	1600779
MD5:	38738d1bcce9a92053d0b2ff204da017
SHA1:	5d3e8a4d369e1528ca1d25146199444f5a77cd5f
SHA256:	34444d4292fb1f61fad6019625d22b9b88868e8af67aa0a84f1319ce8d571f01
Tags:	exeuser-Porcupine
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe (PID: 7580 cmdline: "C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe" MD5: 38738D1BCCE9A92053D0B2FF204DA017)

RegSvcs.exe (PID: 7736 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{
  "Exfil Mode": "SMTP",
  "Port": "587",
  "Host": "cp8nl.hyperhost.ua",
  "Username": "absach@genesio.top",
  "Password": "@qwerty90123        "
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2931059217.00000000028D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7736	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7736	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3204f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x320c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3214b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x321dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32247:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x322b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3234f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x323df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e4f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33ec1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f4b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33fdd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34047:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3414f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3204f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x320c1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3214b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x321dd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32247:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x322b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3234f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x323df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e4f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f06f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33ec1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f0e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f4b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f16b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33fdd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f1fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34047:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f267:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f2d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3414f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f36f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6f3ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e4f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6f26f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xaa48f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33ec1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6f2e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xaa501:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f4b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6f36b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xaa58b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33fdd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6f3fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xaa61d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34047:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6f467:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xaa687:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6f4d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xaa6f9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3414f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6f56f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xaa78f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.174.175.187, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7736, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "absach@genesio.top", "Password": "@qwerty90123 "}

Multi AV Scanner detection for submitted file

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Virustotal: Detection: 48%

Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Joe Sandbox ML: detected

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 185.174.175.187:587

Source: global traffic

TCP traffic: 192.168.2.4:53667 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 185.174.175.187 185.174.175.187

Source: Joe Sandbox View

ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 185.174.175.187:587

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: cp8nl.hyperhost.ua
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cp8nl.hyperhost.ua
Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp, rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	String found in binary or memory: http://tempuri.org/Polly_PipeDataSet.xsd
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731518943.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.coml
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, SKTzxzsJw.cs

.Net Code: P0mmrM

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0168E02C	0_2_0168E02C
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0785A658	0_2_0785A658
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0785EBE0	0_2_0785EBE0
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0785B928	0_2_0785B928
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0785A64B	0_2_0785A64B
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0785DF68	0_2_0785DF68
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0785EEB8	0_2_0785EEB8
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0785EEC8	0_2_0785EEC8
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0785EBD3	0_2_0785EBD3
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_0785B918	0_2_0785B918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01039388	2_2_01039388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01039B48	2_2_01039B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01034A98	2_2_01034A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01033E80	2_2_01033E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0103CEA0	2_2_0103CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010341C8	2_2_010341C8

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: invalid certificate

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.000000000416A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000000.1683260755.0000000000BC2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevzHb.exe6 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1727376542.0000000003121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefc5dce39-38f8-4333-8bf2-0b26de43131c.exe4 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefc5dce39-38f8-4333-8bf2-0b26de43131c.exe4 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1725424295.000000000124E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1733758098.000000000B6A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.0000000004982000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1732536572.0000000007730000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Binary or memory string: OriginalFilenamevzHb.exe6 vs rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, YIqdnTZwEPBrH1FTHb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, YIqdnTZwEPBrH1FTHb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, YIqdnTZwEPBrH1FTHb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, YIqdnTZwEPBrH1FTHb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, YIqdnTZwEPBrH1FTHb.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, YIqdnTZwEPBrH1FTHb.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Mutant created: \Sessions\1\BaseNamedObjects\wjOctAPDxNPP

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Virustotal: Detection: 48%

Source: unknown	Process created: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe "C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe"
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	.Net Code: wfC1xj5Ld2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.416a528.2.raw.unpack, MainForm.cs	.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	.Net Code: wfC1xj5Ld2 System.Reflection.Assembly.Load(byte[])
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.7730000.5.raw.unpack, MainForm.cs	.Net Code: _202D_206F_202D_200E_202A_206C_202A_202A_206D_200D_206C_206A_206A_202D_200D_206A_200D_200C_200E_200F_206B_206A_206B_202D_206A_206E_206C_200C_202E_200D_206B_206A_206A_206B_200F_202B_200C_202B_200E_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	.Net Code: wfC1xj5Ld2 System.Reflection.Assembly.Load(byte[])

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: 0x961E3554 [Sat Oct 23 00:35:32 2049 UTC]

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_07852713 push F005868Fh; ret		0_2_0785271D
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Code function: 0_2_07859988 push eax; iretd		0_2_07859989

Source: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Static PE information: section name: .text entropy: 7.264339353751273

Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, ejZGFIWEC7oEI54yuV.cs	High entropy of concatenated method names: 'LOGqd4Yvul', 'R7GqmaQ669', 'H5bqZbpR3r', 'R7hqWUigB2', 'OIqqfPcgmo', 'qm4qG17kce', 'F3Uq70miE5', 'LywqTcPlE5', 'KT9qMuJrlS', 'ykiq2yucjU'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, tMHjpQ9tMB2G9WMxca.cs	High entropy of concatenated method names: 'hBeMoEt3Z8', 'wK1Mn4A9MK', 'bElMYe6aWu', 'y4GMLQlaav', 'vriMP9jvYb', 'rmXMtSrNh0', 'JGFMaeTx0Z', 'zfaMc5Fcw7', 'IKIM4bfwr3', 'Ju7MSX1Iud'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, uG3L8eeeeNpD6r3MYnA.cs	High entropy of concatenated method names: 'Ir62bqvkPh', 'VXu2zJvVBl', 'Orljg6dgxN', 'hZYjexWbME', 'MmbjyN6iOp', 'UDWj05AdmT', 'rdIj1o8lt0', 'mNfjEAp0ya', 'JmrjvD98gx', 'p2KjhK4GGO'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, muvhe9oreOtObp2D1K.cs	High entropy of concatenated method names: 'a3irEAia4J', 'v2srhahlq3', 'H1grBGQNFI', 'QGmrQRuBPu', 'rFhrHxWBVH', 'vcBB8SRuGh', 'QMcB6Wvf3O', 'XVfBlAfrAn', 'DoBBJOXRId', 'jyNB9MQq1F'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, nnWCtK49FAAnUT3Duh.cs	High entropy of concatenated method names: 'SfWQuE84mc', 'Lf7QkP2oEa', 'valQxGjfeQ', 'nksQd1cBEf', 'D40QKPcMIo', 'YHpQmdFe15', 'TygQV99RFR', 'wfeQZ3TXGN', 'nWvQWB5Isj', 'RICQXeLHtM'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, cKx96hzHJ3vxIFm6hw.cs	High entropy of concatenated method names: 'ACm2mB2peL', 'vWN2ZnXCPP', 'W0I2Wlwgas', 'drN2oH06Lg', 'Kcx2nyYUqQ', 'xRS2LjJf7a', 'QPt2P4MCA5', 'AjQ2sdRS2Z', 'l4o2uWwygH', 'UNQ2kw7RnK'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, GTpSuV6ePOHDmoiebI.cs	High entropy of concatenated method names: 'lND7J47LIi', 'hkQ7bRfOCt', 'N4eTg4rEgt', 'gfWTeq2bOn', 'Kwm7N8k2Ni', 'C0B7Rj5XHU', 'TiH7Crg9jq', 'QLj7pX5mv1', 'z087FFqeVZ', 'Pq87DsFcK3'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, Kpds23bRZ3g8UawtCn.cs	High entropy of concatenated method names: 'bLQ2qGkGF2', 'A5P2BboOwe', 'gSX2rCGL0g', 'ptp2QkkTgS', 'lUd2MRPsbK', 'UxF2HTtEG5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, OybYUnXBlbhQxTn54P.cs	High entropy of concatenated method names: 'r5iBKtGRo0', 'QppBVQEl1y', 'q4dqYqYwR7', 'z6vqLUuxxm', 'N69qPV1SmW', 'dIKqtmLbST', 'GyQqaL9Aro', 'g1sqcEpFoQ', 'Y2Kq4jFkeY', 'y97qSLk4L2'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, T42vxya1RVn0pijrE2.cs	High entropy of concatenated method names: 'rn5QvAuqCO', 'DRpQqSfImm', 'OAuQrCh9id', 'pTFrbvdQIr', 'wKErz0V7Pf', 'AHDQg2Xcq9', 'FDjQegtu2n', 'WAVQyCDJQr', 'JU8Q0fEtwK', 'aHqQ1csBcR'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, x9nb8ZloLFW8ZxgXRj.cs	High entropy of concatenated method names: 'UabMfigQ5e', 'dtrM71qp1y', 'Ij9MMMcISN', 'CKPMjg7bI7', 'euZMwiTkCd', 'BuAMs6t85l', 'Dispose', 'yX6Tvt3SJH', 'xRGThieZjo', 'BG7TqleQ73'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, GJwJcahRxl2glY1GF2.cs	High entropy of concatenated method names: 'Dispose', 'RW8e9ZxgXR', 'G5wynhH9HL', 'fRHembvwLi', 'tlYebTPllt', 'eRQez1hSn4', 'ProcessDialogKey', 'tLjygMHjpQ', 'JMBye2G9WM', 'zcayyapds2'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, YIqdnTZwEPBrH1FTHb.cs	High entropy of concatenated method names: 'PrshpVcwco', 'LPchFwowsK', 'TgghDx0pWy', 'sMnhII2dLD', 'ma7h82kj7U', 'FCIh6Zm7Yp', 'OEihl7kIsi', 'iEehJGwXS7', 'ogEh9Lj8Oq', 'ojThbM70ln'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, Ik3l8gyn3JBR4Aphj1.cs	High entropy of concatenated method names: 'Hinx1fO8D', 'f7VdV741K', 'NFKmMcXdo', 'esgVWTaUX', 'jmmWiXonO', 'bZEXHouCy', 'HgiMke3R5y5KU0k9uN', 'QNS4Y3DoymPEhAsuNm', 'nuhTjqBZW', 'BA62eYpkP'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	High entropy of concatenated method names: 'g9O0E7aiAc', 'RCv0vdQk3R', 'cfG0htCNYr', 'WTq0qZLsTM', 'P7o0B3dLm2', 'eM40rewRfy', 'svJ0QbTTTT', 'wBW0HrF7yB', 'pE00UFNTVy', 'iEv0AiMvOj'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, kR2qoEegexqRSRTMPkp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ztY2NKQwPo', 'ldB2RltFyq', 'CZE2C9h3f8', 'TZt2p7QwNd', 'uk32FPdxCP', 'xOn2DOnAvD', 'Cq52In4GWF'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, qrtTTL1JYUqWTG5Lqr.cs	High entropy of concatenated method names: 'wubeQIqdnT', 'vEPeHBrH1F', 'TECeA7oEI5', 'MyueiVNybY', 'rn5ef4Piuv', 'ge9eGreOtO', 'CW9RKsYRoPepWWTLmH', 'CX3BGOku1Z5K0JKS2X', 'O9LeecZ05w', 'B4Qe0l7e62'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, LMveT8COW3NBEw3BD5.cs	High entropy of concatenated method names: 'dPIOZrjL7R', 'ngHOWJhAtc', 'HtuOoIoglF', 'mGcOn7jbFS', 'Mi3OLZUxsn', 'AcdOPC7v87', 'FK2OaPcT96', 'zjcOcwUwxY', 'RRBOSJntB3', 'YMTON9CVBa'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, SSEXIHe1GqRIqTRj6Uw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iNY3MHVNoj', 'y2m321XkkW', 'zKm3jL4KCD', 'XoJ33HGbSE', 'vTe3wlgUPU', 'K2g35GrKIh', 'rj53sOp6K9'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4c14a38.4.raw.unpack, DfCA8NImunWKhJZGlY.cs	High entropy of concatenated method names: 'iCQ7AChSPA', 'zx57icJYcP', 'ToString', 'lKj7vfnhjM', 'c5y7hHjTuZ', 'gNI7q0OsAe', 'ogi7B3sUKx', 'My27rAWxQ5', 'OSI7QKiEZs', 'kXU7H8roeM'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, ejZGFIWEC7oEI54yuV.cs	High entropy of concatenated method names: 'LOGqd4Yvul', 'R7GqmaQ669', 'H5bqZbpR3r', 'R7hqWUigB2', 'OIqqfPcgmo', 'qm4qG17kce', 'F3Uq70miE5', 'LywqTcPlE5', 'KT9qMuJrlS', 'ykiq2yucjU'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, tMHjpQ9tMB2G9WMxca.cs	High entropy of concatenated method names: 'hBeMoEt3Z8', 'wK1Mn4A9MK', 'bElMYe6aWu', 'y4GMLQlaav', 'vriMP9jvYb', 'rmXMtSrNh0', 'JGFMaeTx0Z', 'zfaMc5Fcw7', 'IKIM4bfwr3', 'Ju7MSX1Iud'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, uG3L8eeeeNpD6r3MYnA.cs	High entropy of concatenated method names: 'Ir62bqvkPh', 'VXu2zJvVBl', 'Orljg6dgxN', 'hZYjexWbME', 'MmbjyN6iOp', 'UDWj05AdmT', 'rdIj1o8lt0', 'mNfjEAp0ya', 'JmrjvD98gx', 'p2KjhK4GGO'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, muvhe9oreOtObp2D1K.cs	High entropy of concatenated method names: 'a3irEAia4J', 'v2srhahlq3', 'H1grBGQNFI', 'QGmrQRuBPu', 'rFhrHxWBVH', 'vcBB8SRuGh', 'QMcB6Wvf3O', 'XVfBlAfrAn', 'DoBBJOXRId', 'jyNB9MQq1F'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, nnWCtK49FAAnUT3Duh.cs	High entropy of concatenated method names: 'SfWQuE84mc', 'Lf7QkP2oEa', 'valQxGjfeQ', 'nksQd1cBEf', 'D40QKPcMIo', 'YHpQmdFe15', 'TygQV99RFR', 'wfeQZ3TXGN', 'nWvQWB5Isj', 'RICQXeLHtM'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, cKx96hzHJ3vxIFm6hw.cs	High entropy of concatenated method names: 'ACm2mB2peL', 'vWN2ZnXCPP', 'W0I2Wlwgas', 'drN2oH06Lg', 'Kcx2nyYUqQ', 'xRS2LjJf7a', 'QPt2P4MCA5', 'AjQ2sdRS2Z', 'l4o2uWwygH', 'UNQ2kw7RnK'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, GTpSuV6ePOHDmoiebI.cs	High entropy of concatenated method names: 'lND7J47LIi', 'hkQ7bRfOCt', 'N4eTg4rEgt', 'gfWTeq2bOn', 'Kwm7N8k2Ni', 'C0B7Rj5XHU', 'TiH7Crg9jq', 'QLj7pX5mv1', 'z087FFqeVZ', 'Pq87DsFcK3'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, Kpds23bRZ3g8UawtCn.cs	High entropy of concatenated method names: 'bLQ2qGkGF2', 'A5P2BboOwe', 'gSX2rCGL0g', 'ptp2QkkTgS', 'lUd2MRPsbK', 'UxF2HTtEG5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, OybYUnXBlbhQxTn54P.cs	High entropy of concatenated method names: 'r5iBKtGRo0', 'QppBVQEl1y', 'q4dqYqYwR7', 'z6vqLUuxxm', 'N69qPV1SmW', 'dIKqtmLbST', 'GyQqaL9Aro', 'g1sqcEpFoQ', 'Y2Kq4jFkeY', 'y97qSLk4L2'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, T42vxya1RVn0pijrE2.cs	High entropy of concatenated method names: 'rn5QvAuqCO', 'DRpQqSfImm', 'OAuQrCh9id', 'pTFrbvdQIr', 'wKErz0V7Pf', 'AHDQg2Xcq9', 'FDjQegtu2n', 'WAVQyCDJQr', 'JU8Q0fEtwK', 'aHqQ1csBcR'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, x9nb8ZloLFW8ZxgXRj.cs	High entropy of concatenated method names: 'UabMfigQ5e', 'dtrM71qp1y', 'Ij9MMMcISN', 'CKPMjg7bI7', 'euZMwiTkCd', 'BuAMs6t85l', 'Dispose', 'yX6Tvt3SJH', 'xRGThieZjo', 'BG7TqleQ73'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, GJwJcahRxl2glY1GF2.cs	High entropy of concatenated method names: 'Dispose', 'RW8e9ZxgXR', 'G5wynhH9HL', 'fRHembvwLi', 'tlYebTPllt', 'eRQez1hSn4', 'ProcessDialogKey', 'tLjygMHjpQ', 'JMBye2G9WM', 'zcayyapds2'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, YIqdnTZwEPBrH1FTHb.cs	High entropy of concatenated method names: 'PrshpVcwco', 'LPchFwowsK', 'TgghDx0pWy', 'sMnhII2dLD', 'ma7h82kj7U', 'FCIh6Zm7Yp', 'OEihl7kIsi', 'iEehJGwXS7', 'ogEh9Lj8Oq', 'ojThbM70ln'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, Ik3l8gyn3JBR4Aphj1.cs	High entropy of concatenated method names: 'Hinx1fO8D', 'f7VdV741K', 'NFKmMcXdo', 'esgVWTaUX', 'jmmWiXonO', 'bZEXHouCy', 'HgiMke3R5y5KU0k9uN', 'QNS4Y3DoymPEhAsuNm', 'nuhTjqBZW', 'BA62eYpkP'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	High entropy of concatenated method names: 'g9O0E7aiAc', 'RCv0vdQk3R', 'cfG0htCNYr', 'WTq0qZLsTM', 'P7o0B3dLm2', 'eM40rewRfy', 'svJ0QbTTTT', 'wBW0HrF7yB', 'pE00UFNTVy', 'iEv0AiMvOj'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, kR2qoEegexqRSRTMPkp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ztY2NKQwPo', 'ldB2RltFyq', 'CZE2C9h3f8', 'TZt2p7QwNd', 'uk32FPdxCP', 'xOn2DOnAvD', 'Cq52In4GWF'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, qrtTTL1JYUqWTG5Lqr.cs	High entropy of concatenated method names: 'wubeQIqdnT', 'vEPeHBrH1F', 'TECeA7oEI5', 'MyueiVNybY', 'rn5ef4Piuv', 'ge9eGreOtO', 'CW9RKsYRoPepWWTLmH', 'CX3BGOku1Z5K0JKS2X', 'O9LeecZ05w', 'B4Qe0l7e62'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, LMveT8COW3NBEw3BD5.cs	High entropy of concatenated method names: 'dPIOZrjL7R', 'ngHOWJhAtc', 'HtuOoIoglF', 'mGcOn7jbFS', 'Mi3OLZUxsn', 'AcdOPC7v87', 'FK2OaPcT96', 'zjcOcwUwxY', 'RRBOSJntB3', 'YMTON9CVBa'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, SSEXIHe1GqRIqTRj6Uw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iNY3MHVNoj', 'y2m321XkkW', 'zKm3jL4KCD', 'XoJ33HGbSE', 'vTe3wlgUPU', 'K2g35GrKIh', 'rj53sOp6K9'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.b6a0000.6.raw.unpack, DfCA8NImunWKhJZGlY.cs	High entropy of concatenated method names: 'iCQ7AChSPA', 'zx57icJYcP', 'ToString', 'lKj7vfnhjM', 'c5y7hHjTuZ', 'gNI7q0OsAe', 'ogi7B3sUKx', 'My27rAWxQ5', 'OSI7QKiEZs', 'kXU7H8roeM'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, ejZGFIWEC7oEI54yuV.cs	High entropy of concatenated method names: 'LOGqd4Yvul', 'R7GqmaQ669', 'H5bqZbpR3r', 'R7hqWUigB2', 'OIqqfPcgmo', 'qm4qG17kce', 'F3Uq70miE5', 'LywqTcPlE5', 'KT9qMuJrlS', 'ykiq2yucjU'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, tMHjpQ9tMB2G9WMxca.cs	High entropy of concatenated method names: 'hBeMoEt3Z8', 'wK1Mn4A9MK', 'bElMYe6aWu', 'y4GMLQlaav', 'vriMP9jvYb', 'rmXMtSrNh0', 'JGFMaeTx0Z', 'zfaMc5Fcw7', 'IKIM4bfwr3', 'Ju7MSX1Iud'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, uG3L8eeeeNpD6r3MYnA.cs	High entropy of concatenated method names: 'Ir62bqvkPh', 'VXu2zJvVBl', 'Orljg6dgxN', 'hZYjexWbME', 'MmbjyN6iOp', 'UDWj05AdmT', 'rdIj1o8lt0', 'mNfjEAp0ya', 'JmrjvD98gx', 'p2KjhK4GGO'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, muvhe9oreOtObp2D1K.cs	High entropy of concatenated method names: 'a3irEAia4J', 'v2srhahlq3', 'H1grBGQNFI', 'QGmrQRuBPu', 'rFhrHxWBVH', 'vcBB8SRuGh', 'QMcB6Wvf3O', 'XVfBlAfrAn', 'DoBBJOXRId', 'jyNB9MQq1F'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, nnWCtK49FAAnUT3Duh.cs	High entropy of concatenated method names: 'SfWQuE84mc', 'Lf7QkP2oEa', 'valQxGjfeQ', 'nksQd1cBEf', 'D40QKPcMIo', 'YHpQmdFe15', 'TygQV99RFR', 'wfeQZ3TXGN', 'nWvQWB5Isj', 'RICQXeLHtM'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, cKx96hzHJ3vxIFm6hw.cs	High entropy of concatenated method names: 'ACm2mB2peL', 'vWN2ZnXCPP', 'W0I2Wlwgas', 'drN2oH06Lg', 'Kcx2nyYUqQ', 'xRS2LjJf7a', 'QPt2P4MCA5', 'AjQ2sdRS2Z', 'l4o2uWwygH', 'UNQ2kw7RnK'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, GTpSuV6ePOHDmoiebI.cs	High entropy of concatenated method names: 'lND7J47LIi', 'hkQ7bRfOCt', 'N4eTg4rEgt', 'gfWTeq2bOn', 'Kwm7N8k2Ni', 'C0B7Rj5XHU', 'TiH7Crg9jq', 'QLj7pX5mv1', 'z087FFqeVZ', 'Pq87DsFcK3'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, Kpds23bRZ3g8UawtCn.cs	High entropy of concatenated method names: 'bLQ2qGkGF2', 'A5P2BboOwe', 'gSX2rCGL0g', 'ptp2QkkTgS', 'lUd2MRPsbK', 'UxF2HTtEG5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, OybYUnXBlbhQxTn54P.cs	High entropy of concatenated method names: 'r5iBKtGRo0', 'QppBVQEl1y', 'q4dqYqYwR7', 'z6vqLUuxxm', 'N69qPV1SmW', 'dIKqtmLbST', 'GyQqaL9Aro', 'g1sqcEpFoQ', 'Y2Kq4jFkeY', 'y97qSLk4L2'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, T42vxya1RVn0pijrE2.cs	High entropy of concatenated method names: 'rn5QvAuqCO', 'DRpQqSfImm', 'OAuQrCh9id', 'pTFrbvdQIr', 'wKErz0V7Pf', 'AHDQg2Xcq9', 'FDjQegtu2n', 'WAVQyCDJQr', 'JU8Q0fEtwK', 'aHqQ1csBcR'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, x9nb8ZloLFW8ZxgXRj.cs	High entropy of concatenated method names: 'UabMfigQ5e', 'dtrM71qp1y', 'Ij9MMMcISN', 'CKPMjg7bI7', 'euZMwiTkCd', 'BuAMs6t85l', 'Dispose', 'yX6Tvt3SJH', 'xRGThieZjo', 'BG7TqleQ73'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, GJwJcahRxl2glY1GF2.cs	High entropy of concatenated method names: 'Dispose', 'RW8e9ZxgXR', 'G5wynhH9HL', 'fRHembvwLi', 'tlYebTPllt', 'eRQez1hSn4', 'ProcessDialogKey', 'tLjygMHjpQ', 'JMBye2G9WM', 'zcayyapds2'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, YIqdnTZwEPBrH1FTHb.cs	High entropy of concatenated method names: 'PrshpVcwco', 'LPchFwowsK', 'TgghDx0pWy', 'sMnhII2dLD', 'ma7h82kj7U', 'FCIh6Zm7Yp', 'OEihl7kIsi', 'iEehJGwXS7', 'ogEh9Lj8Oq', 'ojThbM70ln'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, Ik3l8gyn3JBR4Aphj1.cs	High entropy of concatenated method names: 'Hinx1fO8D', 'f7VdV741K', 'NFKmMcXdo', 'esgVWTaUX', 'jmmWiXonO', 'bZEXHouCy', 'HgiMke3R5y5KU0k9uN', 'QNS4Y3DoymPEhAsuNm', 'nuhTjqBZW', 'BA62eYpkP'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, lwLNX7HLpB3TkaujOQ.cs	High entropy of concatenated method names: 'g9O0E7aiAc', 'RCv0vdQk3R', 'cfG0htCNYr', 'WTq0qZLsTM', 'P7o0B3dLm2', 'eM40rewRfy', 'svJ0QbTTTT', 'wBW0HrF7yB', 'pE00UFNTVy', 'iEv0AiMvOj'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, kR2qoEegexqRSRTMPkp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ztY2NKQwPo', 'ldB2RltFyq', 'CZE2C9h3f8', 'TZt2p7QwNd', 'uk32FPdxCP', 'xOn2DOnAvD', 'Cq52In4GWF'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, qrtTTL1JYUqWTG5Lqr.cs	High entropy of concatenated method names: 'wubeQIqdnT', 'vEPeHBrH1F', 'TECeA7oEI5', 'MyueiVNybY', 'rn5ef4Piuv', 'ge9eGreOtO', 'CW9RKsYRoPepWWTLmH', 'CX3BGOku1Z5K0JKS2X', 'O9LeecZ05w', 'B4Qe0l7e62'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, LMveT8COW3NBEw3BD5.cs	High entropy of concatenated method names: 'dPIOZrjL7R', 'ngHOWJhAtc', 'HtuOoIoglF', 'mGcOn7jbFS', 'Mi3OLZUxsn', 'AcdOPC7v87', 'FK2OaPcT96', 'zjcOcwUwxY', 'RRBOSJntB3', 'YMTON9CVBa'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, SSEXIHe1GqRIqTRj6Uw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iNY3MHVNoj', 'y2m321XkkW', 'zKm3jL4KCD', 'XoJ33HGbSE', 'vTe3wlgUPU', 'K2g35GrKIh', 'rj53sOp6K9'
Source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4b95218.1.raw.unpack, DfCA8NImunWKhJZGlY.cs	High entropy of concatenated method names: 'iCQ7AChSPA', 'zx57icJYcP', 'ToString', 'lKj7vfnhjM', 'c5y7hHjTuZ', 'gNI7q0OsAe', 'ogi7B3sUKx', 'My27rAWxQ5', 'OSI7QKiEZs', 'kXU7H8roeM'

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: 1640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: 3120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: 9370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: A370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: A580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: 7C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: B720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: C720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Memory allocated: D720000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3990			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2166			Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe TID: 7600

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99751	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99186	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99059	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98949	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98709	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98139	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97920	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97702	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2931059217.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7736, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7736, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4d11fd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.4cd6bb8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2931059217.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7736, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	49%	Virustotal		Browse
rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://www.sakkal.coml	0%	Avira URL Cloud	safe
http://cp8nl.hyperhost.ua	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cp8nl.hyperhost.ua	185.174.175.187	true	true		unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2930467946.0000000000E2C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2936973072.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	false		high
http://www.carterandcone.coml	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Polly_PipeDataSet.xsd	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe	false		high
http://www.jiyu-kobo.co.jp/	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.coml	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731518943.0000000005A14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe, 00000000.00000002.1731804086.0000000007252000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cp8nl.hyperhost.ua	RegSvcs.exe, 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.174.175.187	cp8nl.hyperhost.ua	Ukraine		21100	ITLDC-NLUA	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1600779
Start date and time:	2025-01-27 23:31:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 13.95.31.18, 4.245.163.56, 13.107.246.61
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:31:59	API Interceptor	1x Sleep call for process: rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe modified
17:32:00	API Interceptor	30x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.174.175.187	j66xcjuMKP.exe	Get hash	malicious	AgentTesla	Browse
	54B0E7E0Mk.exe	Get hash	malicious	AgentTesla	Browse
	EIqeWlQMGR.exe	Get hash	malicious	AgentTesla	Browse
	Pago_7839389309_8w20w808_723869189.exe	Get hash	malicious	AgentTesla	Browse
	Factura_680368_7996260709.exe	Get hash	malicious	AgentTesla	Browse
	OPL38839292092-XRT783892910-BI7893923929.exe	Get hash	malicious	AgentTesla	Browse
	rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Get hash	malicious	AgentTesla	Browse
	rPGI786687-7688Q21-SWYPPJIK89900.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.BackDoor.SpyBotNET.62.1543.28282.exe	Get hash	malicious	AgentTesla	Browse
	rPDG8838EHU0309-XYSUJ288399-PQSHXII399.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cp8nl.hyperhost.ua	j66xcjuMKP.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	54B0E7E0Mk.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	EIqeWlQMGR.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	Pago_7839389309_8w20w808_723869189.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	Factura_680368_7996260709.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	OPL38839292092-XRT783892910-BI7893923929.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rPGI786687-7688Q21-SWYPPJIK89900.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	SecuriteInfo.com.BackDoor.SpyBotNET.62.1543.28282.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rPDG8838EHU0309-XYSUJ288399-PQSHXII399.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITLDC-NLUA	DCV78I939025789245.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	185.174.173.22
	j66xcjuMKP.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	54B0E7E0Mk.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	5.34.180.213
	PAYMENT RECEIPT.html	Get hash	malicious	HTMLPhisher	Browse	185.174.173.22
	Mg5bMQ2lWi.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	cNF6fXdjPw.dll	Get hash	malicious	Socks5Systemz	Browse	185.237.206.129
	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129

Process:	C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.27220747866742
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
File size:	1'022'472 bytes
MD5:	38738d1bcce9a92053d0b2ff204da017
SHA1:	5d3e8a4d369e1528ca1d25146199444f5a77cd5f
SHA256:	34444d4292fb1f61fad6019625d22b9b88868e8af67aa0a84f1319ce8d571f01
SHA512:	707fb504942509851ab9f3c801f0e748946f66abaab911d4e1bdc2b896ff71c22e925435e89bde94a20d2e717216fd83af4e9f95b79987e1aa6396ad1d2a9648
SSDEEP:	12288:md0N6S1c2fTZUkwu0KgZVVaQlc+LrQ62iZL9FE0JidOv8rSsNSUr3CaNxP88DO8v:E00SXfOKGHc+LU622Ji4v8rkUr3CaP
TLSH:	0D254BDC3620339ECC67D579CA686C74E7603476630B629390D713EA7A4C693DF18AA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T5................0..Z..........^y... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4f795e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x961E3554 [Sat Oct 23 00:35:32 2049 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf7910	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf8000	0x5a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xf6400	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xfa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf5964	0xf5a00	0213afcc0e6a3834cb74c3c1655c2968	False	0.7188245467557252	data	7.264339353751273	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xf8000	0x5a0	0x600	abd2f2d9005eef755e452600a3fdc979	False	0.4192708333333333	data	4.062719011898018	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xfa000	0xc	0x200	b847ea7d37de73259608fb8378ad687b	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xf80a0	0x314	data			0.43274111675126903
RT_MANIFEST	0xf83b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 27
• 587 undefined
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2025 23:32:01.541935921 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:01.546753883 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:01.546833038 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:02.425179005 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:02.450242043 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:02.455075026 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:02.629668951 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:02.635289907 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:02.640141964 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:02.816309929 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:02.847008944 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:02.851778030 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.035449982 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.035470009 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.035485029 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.035500050 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.035514116 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.035542965 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:03.035635948 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:03.126357079 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.141578913 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:03.146964073 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.332617998 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.351502895 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:03.356369019 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.530837059 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.531721115 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:03.536551952 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.711728096 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.712143898 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:03.716999054 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.906825066 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:03.907104969 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:03.911989927 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.086637020 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.087886095 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:04.092730999 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.285777092 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.285988092 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:04.290844917 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.465837002 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.466646910 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:04.466646910 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:04.466646910 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:04.466648102 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:04.471556902 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.471573114 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.471911907 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.780714035 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:32:04.828782082 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:32:30.679271936 CET	53667	53	192.168.2.4	162.159.36.2
Jan 27, 2025 23:32:30.684179068 CET	53	53667	162.159.36.2	192.168.2.4
Jan 27, 2025 23:32:30.684264898 CET	53667	53	192.168.2.4	162.159.36.2
Jan 27, 2025 23:32:30.693459034 CET	53	53667	162.159.36.2	192.168.2.4
Jan 27, 2025 23:32:31.141273975 CET	53667	53	192.168.2.4	162.159.36.2
Jan 27, 2025 23:32:31.146316051 CET	53	53667	162.159.36.2	192.168.2.4
Jan 27, 2025 23:32:31.146387100 CET	53667	53	192.168.2.4	162.159.36.2
Jan 27, 2025 23:33:41.501322031 CET	49736	587	192.168.2.4	185.174.175.187
Jan 27, 2025 23:33:41.506323099 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:33:41.681435108 CET	587	49736	185.174.175.187	192.168.2.4
Jan 27, 2025 23:33:41.686530113 CET	49736	587	192.168.2.4	185.174.175.187

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2025 23:32:01.479782104 CET	60942	53	192.168.2.4	1.1.1.1
Jan 27, 2025 23:32:01.535861969 CET	53	60942	1.1.1.1	192.168.2.4
Jan 27, 2025 23:32:30.675296068 CET	53	56339	162.159.36.2	192.168.2.4
Jan 27, 2025 23:32:31.154649019 CET	49921	53	192.168.2.4	1.1.1.1
Jan 27, 2025 23:32:31.178714037 CET	53	49921	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 27, 2025 23:32:01.479782104 CET	192.168.2.4	1.1.1.1	0x6917	Standard query (0)	cp8nl.hyperhost.ua	A (IP address)	IN (0x0001)	false
Jan 27, 2025 23:32:31.154649019 CET	192.168.2.4	1.1.1.1	0xf61f	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 27, 2025 23:32:01.535861969 CET	1.1.1.1	192.168.2.4	0x6917	No error (0)	cp8nl.hyperhost.ua		185.174.175.187	A (IP address)	IN (0x0001)	false
Jan 27, 2025 23:32:31.178714037 CET	1.1.1.1	192.168.2.4	0xf61f	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 27, 2025 23:32:02.425179005 CET	587	49736	185.174.175.187	192.168.2.4	220-cp8nl.hyperhost.ua ESMTP Exim 4.98 #2 Tue, 28 Jan 2025 00:32:02 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 27, 2025 23:32:02.450242043 CET	49736	587	192.168.2.4	185.174.175.187	EHLO 364339
Jan 27, 2025 23:32:02.629668951 CET	587	49736	185.174.175.187	192.168.2.4	250-cp8nl.hyperhost.ua Hello 364339 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=1000 RCPTMAX=50000 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Jan 27, 2025 23:32:02.635289907 CET	49736	587	192.168.2.4	185.174.175.187	STARTTLS
Jan 27, 2025 23:32:02.816309929 CET	587	49736	185.174.175.187	192.168.2.4	220 TLS go ahead

Statistics

CPU Usage

• rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
• RegSvcs.exe

Click to jump to process

Memory Usage

• rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
• RegSvcs.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Behavior

• rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
• RegSvcs.exe

Click to jump to process

Target ID:	0
Start time:	17:31:57
Start date:	27/01/2025
Path:	C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe"
Imagebase:	0xbc0000
File size:	1'022'472 bytes
MD5 hash:	38738D1BCCE9A92053D0B2FF204DA017
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1728748862.0000000004CD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:31:59
Start date:	27/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x5d0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2931059217.00000000028AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2931059217.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2928953107.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2931059217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	159
Total number of Limit Nodes:	15

Executed Functions

Function 0785B928 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885cd1ed56e7af50b303198869d0e5dbd8646e4016cbbe18c9f557197b10fe6a
Instruction ID: d448b97d6b80f44f6626ac8c598df59dd272474a5b93d8163a140c376d7d6f44
Opcode Fuzzy Hash: 885cd1ed56e7af50b303198869d0e5dbd8646e4016cbbe18c9f557197b10fe6a
Instruction Fuzzy Hash: A34270B4E11219CFDB54CFA9C984B9DBBB2FF58310F1481A9E909A7355DB30AA81CF50

Function 0785A658 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52704586538962c7e71f75d4cd857ad064648583870d1c650050a7ecf4d794e4
Instruction ID: fa729cdd6ef2272ac79e80f1fda7cae4e8f66a874a4e45212764c177a7db9119
Opcode Fuzzy Hash: 52704586538962c7e71f75d4cd857ad064648583870d1c650050a7ecf4d794e4
Instruction Fuzzy Hash: C232E2B0901219CFDB54DF69C580A8EFFB2BF48315F55D299E408AB212DB30E985CFA5

Function 0785B918 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059ee99d08e58a3204196aa277613c686abf6905600611f2cd7d5115c119def8
Instruction ID: 066266b94e48adf95a97cb31d10010ffb6fcee7fd47184fb58e84a218c726006
Opcode Fuzzy Hash: 059ee99d08e58a3204196aa277613c686abf6905600611f2cd7d5115c119def8
Instruction Fuzzy Hash: BB61A5B5E01218CFDB18CFAAD984B9DBBB2FF88310F14C1A9E909A7254DB319941CF50

Function 0785EBE0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c58b84cb8a039bf4ea456cff3e0d8f8e4eb6b322fac21ec113b8074fe99a52
Instruction ID: 2ec60469e32f2974f1ff63055bc7ac9d86d5df5f7028229f7614cadf933eb8b1
Opcode Fuzzy Hash: a4c58b84cb8a039bf4ea456cff3e0d8f8e4eb6b322fac21ec113b8074fe99a52
Instruction Fuzzy Hash: 985193B5D0061D9FDB04CFEAC9446EEFBB2BF89300F14802AE819AB254DB745A06CF50

Function 0785A64B Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 403b2606801613186b8d671cd07147f6b3c43a2f5f77cc4cbb050c1c5d981987
Instruction ID: 279da560e649fcfd45deaa16fb0524754813d62a800a0019d6f8add18ca42048
Opcode Fuzzy Hash: 403b2606801613186b8d671cd07147f6b3c43a2f5f77cc4cbb050c1c5d981987
Instruction Fuzzy Hash: 5241CEB1E006198FEB58DF6BC84079EBBF2BF99300F14D5AAD55CE6254EB300A458F51

Function 0785EBD3 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4769bb6c77f90522f124c28a31b7d8e9e792d88e4b62e9d109485ec50f9b4f02
Instruction ID: 032c55e4bb196d9905f236a1528c7e0185ef10d1f1f2e796f88dfaea52a2b0bf
Opcode Fuzzy Hash: 4769bb6c77f90522f124c28a31b7d8e9e792d88e4b62e9d109485ec50f9b4f02
Instruction Fuzzy Hash: E14193B5E006199FDB08DFEAD98469EFBF2AF88300F14C02AD819AB254DB745A45CF40

Function 0168B280 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0168B4E6

Strings

/$q5, xrefs: 0168B49F

Memory Dump Source

Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID: HandleModule
String ID: /$q5
API String ID: 4139908857-2261123804
Opcode ID: 7041387c47318c5a2c5871a71edf7438a9433da0f1a75e4e023d6fe7fb939c7b
Instruction ID: 64f3092a1f78dc0ebf15dc008e33e66f3363a126cb321ad4cdd2b3d6e02c03b1
Opcode Fuzzy Hash: 7041387c47318c5a2c5871a71edf7438a9433da0f1a75e4e023d6fe7fb939c7b
Instruction Fuzzy Hash: 68814570A00B058FDB25EF6AD95479ABBF1FF48200F108A2ED486D7B50D775E945CB90

Function 01685DA4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01685E61

Strings

/$q5, xrefs: 01685DE4

Memory Dump Source

Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID: Create
String ID: /$q5
API String ID: 2289755597-2261123804
Opcode ID: 8f521859da26bd081eefde49569c6cd1430973580dcee6af48cbf4308a20f986
Instruction ID: 9b1d56575b53f9a89f7b9a11d3bead3f4c9492bd8a30b2afc94485acb993a7e8
Opcode Fuzzy Hash: 8f521859da26bd081eefde49569c6cd1430973580dcee6af48cbf4308a20f986
Instruction Fuzzy Hash: C741E1B0C00219CEDB24DFA9C844BDDFBB5BF49304F24819AD509AB255DB755946CF90

Function 0168490C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01685E61

Strings

/$q5, xrefs: 01685DE4

Memory Dump Source

Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID: Create
String ID: /$q5
API String ID: 2289755597-2261123804
Opcode ID: fd14b575fc25334699f536bbf22bc53000860f13d02c30b2b627d6080ea87299
Instruction ID: 1ec6fa2de6816326d5ae6c8777cbcd023cf58e6b7af2584b1f40efb602caf716
Opcode Fuzzy Hash: fd14b575fc25334699f536bbf22bc53000860f13d02c30b2b627d6080ea87299
Instruction Fuzzy Hash: F841C1B0C00719CBDB24EFA9C848B9EFBB5BF48304F24816AD509AB255DB75A945CF90

Function 078511A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0785123F

Strings

/$q5, xrefs: 078511CD

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID: DrawText
String ID: /$q5
API String ID: 2175133113-2261123804
Opcode ID: 0360b8c863689b6635626f4716cd22207e3a98cc18fb28b27f22c15e61b592dd
Instruction ID: f9e3802ff31dea7c3b950e4be6c225de6bdd1d6b190867344c778f289c93a4ae
Opcode Fuzzy Hash: 0360b8c863689b6635626f4716cd22207e3a98cc18fb28b27f22c15e61b592dd
Instruction Fuzzy Hash: 9531C0B5D013599FDB10CF9AD884ADEFBF5FB58320F14842AE919A7210D774A944CFA0

Function 078511A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0785123F

Strings

/$q5, xrefs: 078511CD

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID: DrawText
String ID: /$q5
API String ID: 2175133113-2261123804
Opcode ID: 4ffb1c93b10cebefcc6cda7b62487542841efe5b1164c0d47c769af0bf07a09a
Instruction ID: 7f60957f63f51db5f938d5f9c51fc023a898b011883e469a018dcaedd517d0c1
Opcode Fuzzy Hash: 4ffb1c93b10cebefcc6cda7b62487542841efe5b1164c0d47c769af0bf07a09a
Instruction Fuzzy Hash: C021CEB5D0024A9FDB10CF9AD884A9EFBF5FB58320F14842AE919A7210D774A944CFA0

Function 0168D298 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0168D72E,?,?,?,?,?), ref: 0168D7EF

Strings

/$q5, xrefs: 0168D787

Memory Dump Source

Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID: DuplicateHandle
String ID: /$q5
API String ID: 3793708945-2261123804
Opcode ID: 384025a9f9f5dadd8f563de538f9b5170c45b61539d1edbbf3af180882fdbe07
Instruction ID: 320b586034b515096ef4736d7ea1fbe63a23ffcc251a8808125de0e44274ed4b
Opcode Fuzzy Hash: 384025a9f9f5dadd8f563de538f9b5170c45b61539d1edbbf3af180882fdbe07
Instruction Fuzzy Hash: CA21E3B59002589FDB10DF9AD984AEEBBF4EB48320F14805AE918A7350D374A940CFA4

Function 0168D760 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0168D72E,?,?,?,?,?), ref: 0168D7EF

Strings

/$q5, xrefs: 0168D787

Memory Dump Source

Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID: DuplicateHandle
String ID: /$q5
API String ID: 3793708945-2261123804
Opcode ID: 33ee396b501b99389ba179e4a03344c33531d0ab4d94202718d310ac40f443de
Instruction ID: 0a416436fa6cb3308b1bc73cc77af83edc0ef5fc10cdbff290c21a7a7fef4388
Opcode Fuzzy Hash: 33ee396b501b99389ba179e4a03344c33531d0ab4d94202718d310ac40f443de
Instruction Fuzzy Hash: 2E21E3B59002589FDB10DF9AD984ADEBFF4FB48310F14805AE918A7350D374A944CFA4

Function 0168B480 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0168B4E6

Strings

/$q5, xrefs: 0168B49F

Memory Dump Source

Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID: HandleModule
String ID: /$q5
API String ID: 4139908857-2261123804
Opcode ID: 9b1b5a73741cd595ee618be0014c95d04b5b5abcda97e573da64a0965d9cb353
Instruction ID: b76a607785d7d8da047efe6ec5cfba4d42cecf7f1bee11c319c3f645da368b24
Opcode Fuzzy Hash: 9b1b5a73741cd595ee618be0014c95d04b5b5abcda97e573da64a0965d9cb353
Instruction Fuzzy Hash: 1D1110B5C002498FDB10DF9AD844ADEFBF4AF88320F10852AD918B7310C379A545CFA1

Function 0149D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726115588.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba254b620f8b1a432f07c598f401b4c4af8db4d45cfdf2b32ff6235a34d2ce0c
Instruction ID: 5df5003fba3e6a1ad75ec77d47da7e3f44514bd7292b070250c24675c3c820e3
Opcode Fuzzy Hash: ba254b620f8b1a432f07c598f401b4c4af8db4d45cfdf2b32ff6235a34d2ce0c
Instruction Fuzzy Hash: A321D371904240DFDF05DF58DAC0B27BF65FB88328F24C56AE9094B266C336D456CBA1

Function 014AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726165396.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de70672741327aaa91a555f0e53be06375be3892bb2f09987b5d7b2b5f99c6a9
Instruction ID: 49c7dfee171f02636e3edd78d7cd183b37fcf44ed0b84e9f5b1d134e4fd198fc
Opcode Fuzzy Hash: de70672741327aaa91a555f0e53be06375be3892bb2f09987b5d7b2b5f99c6a9
Instruction Fuzzy Hash: CA2145B0988200DFCB15DF58D980B17BFA1EB94318F60C56ED80A4B766C336C407CA61

Function 014AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726165396.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cb3d90a5a6d46e52f2cb59a07081bfa1a1da166c751c7f22d0472b72faae96
Instruction ID: df4d5c2fef20c8b3906b1a128d60f34fc85b318e598a2d57346a082642f46e98
Opcode Fuzzy Hash: c6cb3d90a5a6d46e52f2cb59a07081bfa1a1da166c751c7f22d0472b72faae96
Instruction Fuzzy Hash: 67214972904200DFDB01DF98C9C0B26BBA5FB94324F60C57ED8094B762C336D446CA61

Function 014AD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726165396.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce64fa4f702d7e3a5767d02b8e5288fae121a3625bf4026ded585e94b23bd7c0
Instruction ID: b7bd555bf5cc8fdc2830847733ccbb3699bcdf8aae46d548d9e1c56d8f389bf1
Opcode Fuzzy Hash: ce64fa4f702d7e3a5767d02b8e5288fae121a3625bf4026ded585e94b23bd7c0
Instruction Fuzzy Hash: A92192755493808FDB03CF24D594716BF71EB46218F29C5DBD8498F6A7C33A980ACB62

Function 0149D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726115588.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 0099c2afd18ca1151c59fd722ac17aa3116df418d4cf03236be6504fecd6866e
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5511E176804280CFCF02CF54D9C4B16BF71FB84328F24C6AAD8090B266C336D45ACBA1

Function 014AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726165396.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ad000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e6cbd3559f1dde374f7964b6be68b842111be56e9dcb0ec2087e137f35d193f9
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: DC11BB76904280DFDB02CF54C5C4B16BFA1FB84224F24C6AAD8494B7A6C33AD40ACB61

Function 0149D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726115588.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f98c399e1fad4efd4d207cf9c5562f2ee69b2e1ed170e7e26d75fa01de6b48ba
Instruction ID: bdb2c2d58324d44a373d3583bbc9ad0c5fecc12a4eacf7ad4454aadf10a0f4a9
Opcode Fuzzy Hash: f98c399e1fad4efd4d207cf9c5562f2ee69b2e1ed170e7e26d75fa01de6b48ba
Instruction Fuzzy Hash: AA012B314083809AEB115EAACDC4B6FBF98DF41324F08C5ABED080F2A6D239D841CA71

Function 0149D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726115588.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_149d000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e60b95af4d4c446f2fca5b27a51cbbe340eb9792bebfa749234b61c9850d3940
Instruction ID: dbf94497bc7f3c4e35a31bf423fbdf882313a978f9b9256091cc92755d897d95
Opcode Fuzzy Hash: e60b95af4d4c446f2fca5b27a51cbbe340eb9792bebfa749234b61c9850d3940
Instruction Fuzzy Hash: 73F062754043849EEB118E5AD888B67FFA8EF51634F18C49AED085E296C2799844CAB1

Non-executed Functions

Function 0785DF68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5617e34ffa750ade872e51ca4900a65e22504a7ade4b1391eff47df7ce28e4f2
Instruction ID: 579a89d706f7466c5229335b0fe2ee1f1c6a8687a3a0c4425eb133dbb96e1d4d
Opcode Fuzzy Hash: 5617e34ffa750ade872e51ca4900a65e22504a7ade4b1391eff47df7ce28e4f2
Instruction Fuzzy Hash: BEE1D9B4E041198FCB14CFA9C980AAEFBB2FF49305F248169E815EB355D735A941CF61

Function 0168E02C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1726540338.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1680000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661db438b3e2d8383478f70eac0f06f3dfa76f5ece3cd3581c829c132583049a
Instruction ID: c9b432a831c00d958a10d22285132e86b54d20041fb05d239957805f77728b56
Opcode Fuzzy Hash: 661db438b3e2d8383478f70eac0f06f3dfa76f5ece3cd3581c829c132583049a
Instruction Fuzzy Hash: 13A17032E0021ADFCF15EFB4C84459EBBB2FF85300B1546AAE901AB265DB32D956CB50

Function 0785EEC8 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b80534d1f58865899c019596d162ac23b869b0c04c402ecb0c66398dd3b262
Instruction ID: 344759bfa0ce01212af3e8c9ae725a574c4dfb35b173d10a4b84ca54d2298199
Opcode Fuzzy Hash: 53b80534d1f58865899c019596d162ac23b869b0c04c402ecb0c66398dd3b262
Instruction Fuzzy Hash: 097183B4E016198FCB04DFAAC58499EFBF2BF89300F14D166E818EB215DB34A945CF50

Function 0785EEB8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1732907829.0000000007850000.00000040.00000800.00020000.00000000.sdmp, Offset: 07850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7850000_rSGJ780097-JWVY8560I-HHWQEUUIT6F6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731fadf04cf45675f6f853baf8dad31c0999fcd7405d40409f2aff27b1020481
Instruction ID: 07a0a0e4d6554efec760eaa460fab39626a38744e2136a01a11ff44dd50478ac
Opcode Fuzzy Hash: 731fadf04cf45675f6f853baf8dad31c0999fcd7405d40409f2aff27b1020481
Instruction Fuzzy Hash: D05174B5E006198FDB08DFAAC98469EFBF2BF88300F14C16AD858EB354DB3459468F50

Analysis Process: RegSvcs.exePID: 7736, Parent PID: 7580COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 0103FDA0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 0103FE61

Memory Dump Source

Source File: 00000002.00000002.2930604000.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1030000_RegSvcs.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ce9cc356d10705ca6e05bd6a573a11c64db8cc7cf9ec0067d52633a48c04a9ab
Instruction ID: 5f70914c7dd7f5ac625d5c50bacbe22ede0a0c55ce133b930a0dd3b5fafa2b32
Opcode Fuzzy Hash: ce9cc356d10705ca6e05bd6a573a11c64db8cc7cf9ec0067d52633a48c04a9ab
Instruction Fuzzy Hash: B74129B5A00349CFCB14CF99C448AAABBF9FF88714F24C499D559AB321D734A841CFA1

Function 00C9D005 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2929607842.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c9d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b73a901c5d0cc71ff59a1401b25c89385a56ca7c266e4b02668f1808038a632
Instruction ID: 3ef893f4780e5001570460891353eff0779d49e1badbe87a1f51b980230354bf
Opcode Fuzzy Hash: 8b73a901c5d0cc71ff59a1401b25c89385a56ca7c266e4b02668f1808038a632
Instruction Fuzzy Hash: 6F316B7550D3C49FCB03CF24C994711BF71AB46214F29C5EBD9898F2A3C23A981ACB62

Function 00C9D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2929607842.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_c9d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb131bee52b430fa632ae2220fdff145a31595c344cadfa47036e0c5d64c6ca6
Instruction ID: e9266c49723c0a16e5dabf3835be5d867779473620c758cf2bf98b6a5b676ff3
Opcode Fuzzy Hash: cb131bee52b430fa632ae2220fdff145a31595c344cadfa47036e0c5d64c6ca6
Instruction Fuzzy Hash: FB210471504304DFDF14DF14DAC8B26BBA5FB84314F24C56DD80A5B296C33AD847CA62

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
rSGJ780097-JWVY8560I-HHWQEUUIT6F6.bat.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre