Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report AdministratorDownloadsBL,.rar.exe

Overview

General Information

Sample Name:AdministratorDownloadsBL,.rar.exe
Analysis ID:326336
MD5:6fc0b6bc27b1d5c59a1500e2aea68722
SHA1:837917dd7748ae07bd17357fa61045a75d30358e
SHA256:14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • AdministratorDownloadsBL,.rar.exe (PID: 5528 cmdline: 'C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe' MD5: 6FC0B6BC27B1D5C59A1500E2AEA68722)
    • RegSvcs.exe (PID: 5576 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • RegSvcs.exe (PID: 4576 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • RegSvcs.exe (PID: 1288 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • RegSvcs.exe (PID: 5344 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
  • BAVLA.exe (PID: 6188 cmdline: 'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • BAVLA.exe (PID: 6708 cmdline: 'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results
              Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 4x nop then jmp 04EEFAD7h
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then jmp 053FB92Dh
              Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: RegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: http://tutZNp.com
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: RegSvcs.exe, 00000002.00000003.225003835.00000000056F8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: RegSvcs.exe, 00000002.00000003.224943085.00000000056F8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comaU
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: RegSvcs.exe, 00000002.00000003.225003835.00000000056F8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comm
              Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: RegSvcs.exe, 00000002.00000003.238534926.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: RegSvcs.exe, 00000002.00000003.231777787.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: RegSvcs.exe, 00000002.00000003.231777787.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlm
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: RegSvcs.exe, 00000002.00000003.231031344.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlZ
              Source: RegSvcs.exe, 00000002.00000003.229654249.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/m
              Source: RegSvcs.exe, 00000002.00000003.232215331.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers3
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: RegSvcs.exe, 00000002.00000003.230237068.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: RegSvcs.exe, 00000002.00000003.231031344.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersJ
              Source: RegSvcs.exe, 00000002.00000003.230643834.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
              Source: RegSvcs.exe, 00000002.00000003.232184269.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersn
              Source: RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
              Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comB.TTF
              Source: RegSvcs.exe, 00000002.00000003.232045464.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comC
              Source: RegSvcs.exe, 00000002.00000003.232045464.00000000056FA000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.232124276.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFZ
              Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
              Source: RegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: RegSvcs.exe, 00000002.00000003.229654249.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
              Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
              Source: RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
              Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
              Source: RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: RegSvcs.exe, 00000002.00000003.230237068.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdik
              Source: RegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
              Source: RegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
              Source: RegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
              Source: RegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldco
              Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlicd
              Source: RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: RegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: RegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtoFC
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: RegSvcs.exe, 00000002.00000003.224412585.00000000056F5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: RegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn//wr
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: RegSvcs.exe, 00000002.00000003.224464538.00000000056F5000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/g
              Source: RegSvcs.exe, 00000002.00000003.224272132.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnM
              Source: RegSvcs.exe, 00000002.00000003.224272132.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnm
              Source: RegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
              Source: RegSvcs.exe, 00000002.00000003.224339200.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-h
              Source: RegSvcs.exe, 00000002.00000003.224339200.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c~
              Source: RegSvcs.exe, 00000002.00000003.233692685.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: RegSvcs.exe, 00000002.00000003.233643496.0000000005717000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: RegSvcs.exe, 00000002.00000003.224135139.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kg
              Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krd
              Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.227739333.00000000056F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: RegSvcs.exe, 00000002.00000003.226821822.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
              Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
              Source: RegSvcs.exe, 00000002.00000003.227230930.00000000056F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
              Source: RegSvcs.exe, 00000002.00000003.227230930.00000000056F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
              Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
              Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/U
              Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
              Source: RegSvcs.exe, 00000002.00000003.227835031.00000000056F5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/k
              Source: RegSvcs.exe, 00000002.00000003.226821822.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
              Source: RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
              Source: RegSvcs.exe, 00000002.00000003.228913339.00000000056FA000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.236140389.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: RegSvcs.exe, 00000002.00000003.233692685.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.9
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krE
              Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-uW
              Source: RegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krtml/des
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: RegSvcs.exe, 00000002.00000003.232281215.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: RegSvcs.exe, 00000002.00000003.229465784.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deC
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: RegSvcs.exe, 00000002.00000003.232281215.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deFg
              Source: RegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dees
              Source: RegSvcs.exe, 00000002.00000003.229529136.00000000056FA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dewa
              Source: RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: RegSvcs.exe, 00000002.00000003.224887338.00000000056F7000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.9
              Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: RegSvcs.exe, 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: RegSvcs.exe, 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.223172635.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 4.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b74A22274u002d68DAu002d4F27u002dB1CFu002d7A1A8B1D0E40u007d/u00379CD1FB3u002dCD92u002d48EBu002d87CDu002dF8EBA390CFF8.csLarge array initialization: .cctor: array initializer size 11783
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_018CB0BA NtQuerySystemInformation,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_018CB089 NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EE4C54
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EEE055
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EE6C04
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EE57F8
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EEED62
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EE3B30
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EEE0CD
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EEE540
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EE0100
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EE0110
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 2_2_053F1739
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 2_2_053F9F72
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 2_2_053FABAA
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 2_2_053F4E08
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 2_2_053F2ABC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 2_2_053F9FC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 2_2_053FA465
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031B4330
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031B6F58
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031B8868
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031BE56C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_066A2FD0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_066A94E8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_066A78CC
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_066AC8D8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_066A9090
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.228681130.0000000004F60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs AdministratorDownloadsBL,.rar.exe
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.226395396.0000000003CE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJL vs AdministratorDownloadsBL,.rar.exe
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.226395396.0000000003CE8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs AdministratorDownloadsBL,.rar.exe
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.228856590.0000000004FC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs AdministratorDownloadsBL,.rar.exe
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.223172635.0000000000DDB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs AdministratorDownloadsBL,.rar.exe
              Source: AdministratorDownloadsBL,.rar.exeBinary or memory string: OriginalFilenameL vs AdministratorDownloadsBL,.rar.exe
              Source: AdministratorDownloadsBL,.rar.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 4.2.RegSvcs.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/6@0/0
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_0101BD36 AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_0101BCFF AdjustTokenPrivileges,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 2_2_058A066E AdjustTokenPrivileges,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 2_2_058A0637 AdjustTokenPrivileges,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_018CAF3E AdjustTokenPrivileges,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_018CAF07 AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AdministratorDownloadsBL,.rar.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
              Source: AdministratorDownloadsBL,.rar.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe 'C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe 'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe 'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: AdministratorDownloadsBL,.rar.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: AdministratorDownloadsBL,.rar.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: AdministratorDownloadsBL,.rar.exeStatic file information: File size 1313280 > 1048576
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: AdministratorDownloadsBL,.rar.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x140000
              Source: AdministratorDownloadsBL,.rar.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: AdministratorDownloadsBL,.rar.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: BAVLA.exe, 00000012.00000002.297196626.00000000057C0000.00000002.00000001.sdmp
              Source: Binary string: RegSvcs.pdb source: BAVLA.exe, BAVLA.exe.4.dr
              Source: Binary string: mscorrc.pdb source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.228681130.0000000004F60000.00000002.00000001.sdmp, RegSvcs.exe, 00000002.00000002.256577924.0000000008660000.00000002.00000001.sdmp, RegSvcs.exe, 00000004.00000002.496290423.0000000006640000.00000002.00000001.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: AdministratorDownloadsBL,.rar.exe, Home.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.2.AdministratorDownloadsBL,.rar.exe.5e0000.0.unpack, Home.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.AdministratorDownloadsBL,.rar.exe.5e0000.0.unpack, Home.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 2.2.RegSvcs.exe.400000.0.unpack, SimpleTextEditor/LoginForm.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Binary contains a suspicious time stampShow sources
              Source: initial sampleStatic PE information: 0xA5B411DA [Mon Feb 4 09:48:10 2058 UTC]
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeCode function: 0_2_04EE8462 push ds; iretd
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_066A0AD9 push ebp; ret
              Source: initial sampleStatic PE information: section name: .text entropy: 7.86787399891
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BAVLAJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BAVLAJump to behavior

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe:Zone.Identifier read attributes | delete
              Uses an obfuscated file name to hide its real file extension (double extension)Show sources
              Source: Possible double extension: rar.exeStatic PE information: AdministratorDownloadsBL,.rar.exe
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AdministratorDownloadsBL,.rar.exe PID: 5528, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4576, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1AR
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1AR:{
              Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1AR
              Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1ARV
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe TID: 5524Thread sleep time: -41500s >= -30000s
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe TID: 6112Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe TID: 6240Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe TID: 6820Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmpBinary or memory string: ar&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1ar
              Source: RegSvcs.exe, 00000004.00000002.495614826.0000000005A90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmpBinary or memory string: vmwareX1arg
              Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmpBinary or memory string: VMWARE|9ar
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmpBinary or memory string: VMWAREX1ar0}
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmpBinary or memory string: QEMUX1ar
              Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmpBinary or memory string: VMware|9ar
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmpBinary or memory string: vmwareX1ar
              Source: RegSvcs.exe, 00000004.00000002.495614826.0000000005A90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmpBinary or memory string: VMware
              Source: RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: RegSvcs.exe, 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmpBinary or memory string: VMWAREX1ar
              Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmpBinary or memory string: ar#"SOFTWARE\VMware, Inc.\VMware ToolsX1ar
              Source: RegSvcs.exe, 00000002.00000002.244443033.00000000035CE000.00000004.00000001.sdmpBinary or memory string: VMware |9ar
              Source: AdministratorDownloadsBL,.rar.exe, 00000000.00000002.224085297.0000000002D36000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1ar
              Source: RegSvcs.exe, 00000004.00000002.495614826.0000000005A90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1ar1
              Source: RegSvcs.exe, 00000002.00000002.243177906.0000000003261000.00000004.00000001.sdmpBinary or memory string: ar&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1arl
              Source: RegSvcs.exe, 00000004.00000002.495614826.0000000005A90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess information queried: ProcessInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_031B6F58 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess token adjusted: Debug
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess token adjusted: Debug
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 protect: page execute and read and write
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000 value starts with: 4D5A
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 400000
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 402000
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 480000
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: 4B6000
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe base: F7C008
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe {path}
              Source: RegSvcs.exe, 00000004.00000002.490818392.0000000001CC0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: RegSvcs.exe, 00000004.00000002.490818392.0000000001CC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: RegSvcs.exe, 00000004.00000002.490818392.0000000001CC0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: RegSvcs.exe, 00000004.00000002.490818392.0000000001CC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exeQueries volume information: C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4_2_018CB61E GetUserNameW,
              Source: C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5344, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4576, type: MEMORY
              Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: Yara matchFile source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5344, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5344, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4576, type: MEMORY
              Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Access Token Manipulation1Masquerading11OS Credential Dumping1Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection312Virtualization/Sandbox Evasion13Input Capture1Virtualization/Sandbox Evasion13Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSAccount Discovery1Distributed Component Object ModelData from Local System1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection312LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing13/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Timestomp1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 326336 Sample: AdministratorDownloadsBL,.rar.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 31 Yara detected AgentTesla 2->31 33 Yara detected AntiVM_3 2->33 35 .NET source code contains potential unpacker 2->35 37 4 other signatures 2->37 7 AdministratorDownloadsBL,.rar.exe 3 2->7         started        10 BAVLA.exe 4 2->10         started        12 BAVLA.exe 3 2->12         started        process3 signatures4 39 Writes to foreign memory regions 7->39 41 Allocates memory in foreign processes 7->41 43 Injects a PE file into a foreign processes 7->43 14 RegSvcs.exe 3 7->14         started        17 RegSvcs.exe 7->17         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process5 signatures6 51 Injects a PE file into a foreign processes 14->51 23 RegSvcs.exe 2 6 14->23         started        27 RegSvcs.exe 14->27         started        53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->55 process7 file8 29 C:\Users\user\AppData\Roaming\...\BAVLA.exe, PE32 23->29 dropped 45 Tries to steal Mail credentials (via file access) 23->45 47 Tries to harvest and steal browser information (history, passwords, etc) 23->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->49 signatures9

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe0%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe0%ReversingLabs

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://www.sandoll.co.krn-uW0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn//wr0%Avira URL Cloudsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.fontbureau.comessed0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.sajatypeworks.com0%URL Reputationsafe
              http://www.urwpp.deFg0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
              http://www.fontbureau.comlicd0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/10%Avira URL Cloudsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
              http://www.sandoll.co.krtml/des0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/g0%Avira URL Cloudsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.urwpp.deDPlease0%URL Reputationsafe
              http://www.sandoll.co.krE0%Avira URL Cloudsafe
              http://www.urwpp.dewa0%Avira URL Cloudsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              http://www.zhongyicts.com.cn0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://www.fontbureau.comC0%Avira URL Cloudsafe
              http://www.fontbureau.comalsd0%Avira URL Cloudsafe
              http://www.goodfont.co.krd0%Avira URL Cloudsafe
              http://www.galapagosdesign.com/0%URL Reputationsafe
              http://www.galapagosdesign.com/0%URL Reputationsafe
              http://www.galapagosdesign.com/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/U0%Avira URL Cloudsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://www.urwpp.dees0%Avira URL Cloudsafe
              http://www.fontbureau.comdik0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/C0%Avira URL Cloudsafe
              http://www.carterandcone.comm0%Avira URL Cloudsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.carterandcone.coml0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
              http://www.fontbureau.comcomF0%Avira URL Cloudsafe
              http://www.fontbureau.comldco0%Avira URL Cloudsafe
              http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
              http://www.jiyu-kobo.co.jp/k0%URL Reputationsafe
              http://www.monotype.90%Avira URL Cloudsafe
              http://www.goodfont.co.kg0%Avira URL Cloudsafe
              http://www.fontbureau.comI.TTF0%Avira URL Cloudsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
              http://www.founder.com.cn/cnM0%Avira URL Cloudsafe
              http://www.fontbureau.comFZ0%Avira URL Cloudsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.tiro.com0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.goodfont.co.kr0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              http://www.carterandcone.com0%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.typography.netD0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://fontfabrik.com0%URL Reputationsafe
              http://www.founder.com.cn/cnp0%Avira URL Cloudsafe
              http://www.carterandcone.comaU0%Avira URL Cloudsafe
              http://www.fontbureau.comB.TTF0%Avira URL Cloudsafe
              http://www.fontbureau.comcom0%URL Reputationsafe
              http://www.fontbureau.comcom0%URL Reputationsafe
              http://www.fontbureau.comcom0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		low
              http://www.sandoll.co.krn-uWRegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.founder.com.cn/cn//wrRegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designersRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmpfalse
                		high
                http://www.fontbureau.comessedRegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.urwpp.deFgRegSvcs.exe, 00000002.00000003.232281215.00000000056FA000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cn/cTheRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comlicdRegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.jiyu-kobo.co.jp/1RegSvcs.exe, 00000002.00000003.226821822.00000000056FA000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/DPleaseRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/Y0RegSvcs.exe, 00000002.00000003.227230930.00000000056F5000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.sandoll.co.krtml/desRegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.founder.com.cn/cn/gRegSvcs.exe, 00000002.00000003.224464538.00000000056F5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.urwpp.deDPleaseRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.sandoll.co.krERegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.urwpp.dewaRegSvcs.exe, 00000002.00000003.229529136.00000000056FA000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.zhongyicts.com.cnRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipRegSvcs.exe, 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comCRegSvcs.exe, 00000002.00000003.232045464.00000000056FA000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.fontbureau.comalsdRegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.goodfont.co.krdRegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.galapagosdesign.com/RegSvcs.exe, 00000002.00000003.233692685.00000000056FA000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.jiyu-kobo.co.jp/URegSvcs.exe, 00000002.00000003.227230930.00000000056F5000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/frere-jones.htmlZRegSvcs.exe, 00000002.00000003.231031344.00000000056FA000.00000004.00000001.sdmpfalse
                  		high
                  http://www.urwpp.deesRegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.comdikRegSvcs.exe, 00000002.00000003.230237068.00000000056FA000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/CRegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.carterandcone.commRegSvcs.exe, 00000002.00000003.225003835.00000000056F8000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.carterandcone.comlRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/xRegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                    		high
                    http://www.jiyu-kobo.co.jp/Y0/RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comcomFRegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.comldcoRegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/kRegSvcs.exe, 00000002.00000003.226821822.00000000056FA000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.monotype.9RegSvcs.exe, 00000002.00000003.233692685.00000000056FA000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.fontbureau.com/designersGRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.kgRegSvcs.exe, 00000002.00000003.224135139.00000000056FE000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comI.TTFRegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designers/?RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                        		high
                        http://www.founder.com.cn/cn/bTheRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnMRegSvcs.exe, 00000002.00000003.224272132.00000000056FE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designersJRegSvcs.exe, 00000002.00000003.231031344.00000000056FA000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers?RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comFZRegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tiro.comRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.goodfont.co.krRegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comRegSvcs.exe, 00000002.00000003.225003835.00000000056F8000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersPRegSvcs.exe, 00000002.00000003.230643834.00000000056FA000.00000004.00000001.sdmpfalse
                              		high
                              https://api.ipify.orgGETMozilla/5.0RegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmRegSvcs.exe, 00000002.00000003.233643496.0000000005717000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnpRegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.carterandcone.comaURegSvcs.exe, 00000002.00000003.224943085.00000000056F8000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnmRegSvcs.exe, 00000002.00000003.224272132.00000000056FE000.00000004.00000001.sdmpfalse
                                		unknown
                                http://www.fontbureau.comB.TTFRegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.comcomRegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/jp/kRegSvcs.exe, 00000002.00000003.227835031.00000000056F5000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.zhongyicts.com.cno.9RegSvcs.exe, 00000002.00000003.224887338.00000000056F7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.fonts.comRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krRegSvcs.exe, 00000002.00000003.223956770.00000000056FE000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/URegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.urwpp.deRegSvcs.exe, 00000002.00000003.232281215.00000000056FA000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersnRegSvcs.exe, 00000002.00000003.232184269.00000000056FA000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.jiyu-kobo.co.jp/jp/ZRegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designerstRegSvcs.exe, 00000002.00000003.230375956.00000000056FA000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers/cabarga.htmlmRegSvcs.exe, 00000002.00000003.231777787.00000000056FA000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.apache.org/licenses/LICENSE-2.0RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comRegSvcs.exe, 00000002.00000003.232455942.00000000056FA000.00000004.00000001.sdmpfalse
                                            		high
                                            http://DynDns.comDynDNSRegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comFRegSvcs.exe, 00000002.00000003.232045464.00000000056FA000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.232124276.00000000056FA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://tutZNp.comRegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comionRegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comaRegSvcs.exe, 00000002.00000003.238803101.00000000056FA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://en.wikipRegSvcs.exe, 00000002.00000003.224225547.00000000056FE000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comdRegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.c~RegSvcs.exe, 00000002.00000003.224339200.00000000056FE000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.urwpp.deCRegSvcs.exe, 00000002.00000003.229465784.00000000056FA000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNRegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers&RegSvcs.exe, 00000002.00000003.238534926.00000000056FA000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comkRegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.founder.com.cn/cnRegSvcs.exe, 00000002.00000003.224412585.00000000056F5000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlRegSvcs.exe, 00000002.00000003.231777787.00000000056FA000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.monotype.RegSvcs.exe, 00000002.00000003.228913339.00000000056FA000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.236140389.00000000056FA000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://api.telegram.org/bot%telegramapi%/RegSvcs.exe, 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, RegSvcs.exe, 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.commRegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.jiyu-kobo.co.jp/RegSvcs.exe, 00000002.00000003.227907981.00000000056F8000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000003.227739333.00000000056F5000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comoRegSvcs.exe, 00000002.00000003.231615275.00000000056FA000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers8RegSvcs.exe, 00000002.00000002.256137708.0000000006A02000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comalicRegSvcs.exe, 00000002.00000003.229654249.00000000056FA000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.comtoFCRegSvcs.exe, 00000002.00000003.230946780.00000000056FA000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/mRegSvcs.exe, 00000002.00000003.229654249.00000000056FA000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers:RegSvcs.exe, 00000002.00000003.230237068.00000000056FA000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cnu-hRegSvcs.exe, 00000002.00000003.224339200.00000000056FE000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xRegSvcs.exe, 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmpfalse
                                                            		high

                                                            Contacted IPs

                                                            No contacted IP infos

                                                            General Information

                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                            Analysis ID:326336
                                                            Start date:03.12.2020
                                                            Start time:10:03:10
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 7m 47s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:AdministratorDownloadsBL,.rar.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:28
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@13/6@0/0
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 15.6% (good quality ratio 10.9%)
                                                            • Quality average: 43.6%
                                                            • Quality standard deviation: 35.8%
                                                            HCA Information:
                                                            • Successful, ratio: 98%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .exe
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            10:05:36API Interceptor1x Sleep call for process: AdministratorDownloadsBL,.rar.exe modified
                                                            10:05:46API Interceptor653x Sleep call for process: RegSvcs.exe modified
                                                            10:05:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run BAVLA C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
                                                            10:06:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run BAVLA C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            No context

                                                            Domains

                                                            No context

                                                            ASN

                                                            No context

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exesigned_19272.zip(#U007e18 KB) (2).exeGet hashmaliciousBrowse
                                                              TT Swift Copy..,.exeGet hashmaliciousBrowse
                                                                Invoice-.exeGet hashmaliciousBrowse
                                                                  Invoice..,.exeGet hashmaliciousBrowse
                                                                    Bank Update Info.exeGet hashmaliciousBrowse
                                                                      eLPEEvaFgq6CHTS.exeGet hashmaliciousBrowse
                                                                        NR.13346.exeGet hashmaliciousBrowse
                                                                          Quote 571189.exeGet hashmaliciousBrowse
                                                                            WyLE6g2Vrj.exeGet hashmaliciousBrowse
                                                                              SKM_C3350191107102300.exeGet hashmaliciousBrowse
                                                                                PO#1709 SHI Pdf.exeGet hashmaliciousBrowse
                                                                                  DHL SHIPPINC DOCUUMEN....exeGet hashmaliciousBrowse
                                                                                    TT Swift Copy.exeGet hashmaliciousBrowse
                                                                                      APLUSHPH-DKK, 3X20'DC, ETD 23 oct.exeGet hashmaliciousBrowse
                                                                                        Parking List.pdf,.exeGet hashmaliciousBrowse
                                                                                          P.O List.exeGet hashmaliciousBrowse
                                                                                            P.O List.exeGet hashmaliciousBrowse
                                                                                              Swift 5893038993.exeGet hashmaliciousBrowse
                                                                                                TT Swift Copy.pdf (4).exeGet hashmaliciousBrowse
                                                                                                  PO 67961.exeGet hashmaliciousBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AdministratorDownloadsBL,.rar.exe.log
                                                                                                    Process:C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):641
                                                                                                    Entropy (8bit):5.271473536084351
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2u7x5I6Hi0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2I3rOz2T
                                                                                                    MD5:C3EC08CD6BEA8576070D5A52B4B6D7D0
                                                                                                    SHA1:40B95253F98B3CC5953100C0E71DAC7915094A5A
                                                                                                    SHA-256:28B314C3E5651414FD36B2A65B644A2A55F007A34A536BE17514E12CEE5A091B
                                                                                                    SHA-512:5B0E6398A092F08240DC6765425E16DB52F32542FF7250E87403C407E54B3660EF93E0EAD17BA2CEF6B666951ACF66FA0EAD61FB52E80867DDD398E8258DED22
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\BAVLA.exe.log
                                                                                                    Process:C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:modified
                                                                                                    Size (bytes):120
                                                                                                    Entropy (8bit):5.016405576253028
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:QHXMKaoWglAFXMWA2yTMGfsbNXLVd49Am12MFuAvOAsDeieVyn:Q3LawlAFXMWTyAGCFLIP12MUAvvrs
                                                                                                    MD5:50DEC1858E13F033E6DCA3CBFAD5E8DE
                                                                                                    SHA1:79AE1E9131B0FAF215B499D2F7B4C595AA120925
                                                                                                    SHA-256:14A557E226E3BA8620BB3A70035E1E316F1E9FB5C9E8F74C07110EE90B8D8AE4
                                                                                                    SHA-512:1BD73338DF685A5B57B0546E102ECFDEE65800410D6F77845E50456AC70DE72929088AF19B59647F01CBA7A5ACFB399C52D9EF2402A9451366586862EF88E7BF
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview: 1,"fusion","GAC",0..2,"System.EnterpriseServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegSvcs.exe.log
                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):641
                                                                                                    Entropy (8bit):5.271473536084351
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70U2u7x5I6Hi0Ug+9Yz9tv:MLF20NaL329hJ5g522rW2I3rOz2T
                                                                                                    MD5:C3EC08CD6BEA8576070D5A52B4B6D7D0
                                                                                                    SHA1:40B95253F98B3CC5953100C0E71DAC7915094A5A
                                                                                                    SHA-256:28B314C3E5651414FD36B2A65B644A2A55F007A34A536BE17514E12CEE5A091B
                                                                                                    SHA-512:5B0E6398A092F08240DC6765425E16DB52F32542FF7250E87403C407E54B3660EF93E0EAD17BA2CEF6B666951ACF66FA0EAD61FB52E80867DDD398E8258DED22
                                                                                                    Malicious:false
                                                                                                    Reputation:moderate, very likely benign file
                                                                                                    Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\d05d469d89b319a068f2123e7e6f8621\System.Web.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
                                                                                                    C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):3.7515815714465193
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:384:BOj9Y8/gS7SDriLGKq1MHR5U4Ag6ihJSxUCR1rgCPKabK2t0X5P7DZ+JgWSW72uw:B+gSAdN1MH3HAFRJngW2u
                                                                                                    MD5:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    SHA1:37F9781314F0F6B7E9CB529A573F2B1C8DE9E93F
                                                                                                    SHA-256:D4527B7AD2FC4778CC5BE8709C95AEA44EAC0568B367EE14F7357D72898C3698
                                                                                                    SHA-512:2F470383E3C796C4CF212EC280854DBB9E7E8C8010CE6857E58F8E7066D7516B7CD7039BC5C0F547E1F5C7F9F2287869ADFFB2869800B08B2982A88BE96E9FB7
                                                                                                    Malicious:true
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: signed_19272.zip(#U007e18 KB) (2).exe, Detection: malicious, Browse
                                                                                                    • Filename: TT Swift Copy..,.exe, Detection: malicious, Browse
                                                                                                    • Filename: Invoice-.exe, Detection: malicious, Browse
                                                                                                    • Filename: Invoice..,.exe, Detection: malicious, Browse
                                                                                                    • Filename: Bank Update Info.exe, Detection: malicious, Browse
                                                                                                    • Filename: eLPEEvaFgq6CHTS.exe, Detection: malicious, Browse
                                                                                                    • Filename: NR.13346.exe, Detection: malicious, Browse
                                                                                                    • Filename: Quote 571189.exe, Detection: malicious, Browse
                                                                                                    • Filename: WyLE6g2Vrj.exe, Detection: malicious, Browse
                                                                                                    • Filename: SKM_C3350191107102300.exe, Detection: malicious, Browse
                                                                                                    • Filename: PO#1709 SHI Pdf.exe, Detection: malicious, Browse
                                                                                                    • Filename: DHL SHIPPINC DOCUUMEN....exe, Detection: malicious, Browse
                                                                                                    • Filename: TT Swift Copy.exe, Detection: malicious, Browse
                                                                                                    • Filename: APLUSHPH-DKK, 3X20'DC, ETD 23 oct.exe, Detection: malicious, Browse
                                                                                                    • Filename: Parking List.pdf,.exe, Detection: malicious, Browse
                                                                                                    • Filename: P.O List.exe, Detection: malicious, Browse
                                                                                                    • Filename: P.O List.exe, Detection: malicious, Browse
                                                                                                    • Filename: Swift 5893038993.exe, Detection: malicious, Browse
                                                                                                    • Filename: TT Swift Copy.pdf (4).exe, Detection: malicious, Browse
                                                                                                    • Filename: PO 67961.exe, Detection: malicious, Browse
                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....{Z.................P... .......k... ........@.. ...............................[....@..................................k..K................................... k............................................... ............... ..H............text....K... ...P.................. ..`.rsrc................`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    \Device\ConDrv
                                                                                                    Process:C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1145
                                                                                                    Entropy (8bit):4.462201512373672
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:zKLXkzPDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0zPDQntKKH1MqJC
                                                                                                    MD5:46EBEB88876A00A52CC37B1F8E0D0438
                                                                                                    SHA1:5E5DB352F964E5F398301662FF558BD905798A65
                                                                                                    SHA-256:D65BD5A6CC112838AFE8FA70BF61FD13C1313BCE3EE3E76C50E454D7B581238B
                                                                                                    SHA-512:E713E6F304A469FB71235C598BC7E2C6F8458ABC61DAF3D1F364F66579CAFA4A7F3023E585BDA552FB400009E7805A8CA0311A50D5EDC9C2AD2D067772A071BE
                                                                                                    Malicious:false
                                                                                                    Preview: Microsoft (R) .NET Framework Services Installation Utility Version 2.0.50727.8922..Copyright (c) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output...

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                    Entropy (8bit):7.864015963131449
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                                    File name:AdministratorDownloadsBL,.rar.exe
                                                                                                    File size:1313280
                                                                                                    MD5:6fc0b6bc27b1d5c59a1500e2aea68722
                                                                                                    SHA1:837917dd7748ae07bd17357fa61045a75d30358e
                                                                                                    SHA256:14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241
                                                                                                    SHA512:78a408b498ff3030e0c79c045a93ca2f8ef2555da91ed77d76d3c193cd383e8e025290d5b74459e01b01a81300d85634346c18b670bb706272d31dbe30ef3538
                                                                                                    SSDEEP:24576:y4EaCNT+lMnN2/n9mUyGP4mIIDzFXi6cMOiKF+5QFV6ej2Ahp:y4Xc+lCsf9QztIDFi6CiKFbFxCAr
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. .......................`............@................................

                                                                                                    File Icon

                                                                                                    Icon Hash:00828e8e8686b000

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x541fd6
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                    Time Stamp:0xA5B411DA [Mon Feb 4 09:48:10 2058 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:v2.0.50727
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add al, byte ptr [eax]
                                                                                                    adc byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    and byte ptr [eax], al
                                                                                                    add byte ptr [eax+00000018h], al
                                                                                                    push eax
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], 00000000h
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add dword ptr [eax], eax
                                                                                                    add dword ptr [eax], eax
                                                                                                    add byte ptr [eax], al
                                                                                                    cmp byte ptr [eax], al
                                                                                                    add byte ptr [eax+00000000h], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add dword ptr [eax], eax
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], 00000000h
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [ecx], al
                                                                                                    add byte ptr [ecx], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax+00h], ch
                                                                                                    add byte ptr [eax+00000000h], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add dword ptr [eax], eax
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    in al, 03h
                                                                                                    add byte ptr [eax], al
                                                                                                    nop
                                                                                                    and byte ptr [eax+eax], dl
                                                                                                    push esp
                                                                                                    add eax, dword ptr [eax]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [ebx+eax+34h], dl
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [esi+00h], dl
                                                                                                    push ebx
                                                                                                    add byte ptr [edi+00h], bl
                                                                                                    push esi

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x141f840x4f.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1420000x5e4.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1440000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x141f680x1c.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000x13ffdc0x140000False0.889221954346COM executable for DOS7.86787399891IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x1420000x5e40x600False0.4453125data4.24730858984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x1440000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    RT_VERSION0x1420900x354data
                                                                                                    RT_MANIFEST0x1423f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Version Infos

                                                                                                    DescriptionData
                                                                                                    Translation0x0000 0x04b0
                                                                                                    LegalCopyrightCopyright 2019 AbbVie Inc.
                                                                                                    Assembly Version5.687.0.0
                                                                                                    InternalName.exe
                                                                                                    FileVersion59.35.0.0
                                                                                                    CompanyNameAbbVie Inc.
                                                                                                    LegalTrademarks
                                                                                                    CommentsAllergan
                                                                                                    ProductNameRasa Motors
                                                                                                    ProductVersion59.35.0.0
                                                                                                    FileDescriptionRasa Motors
                                                                                                    OriginalFilename.exe

                                                                                                    Network Behavior

                                                                                                    No network behavior found

                                                                                                    Code Manipulations

                                                                                                    Statistics

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    Analysis Process: AdministratorDownloadsBL,.rar.exe PID: 5528 Parent PID: 5784

                                                                                                    General

                                                                                                    Start time:10:05:36
                                                                                                    Start date:03/12/2020
                                                                                                    Path:C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\Desktop\AdministratorDownloadsBL,.rar.exe'
                                                                                                    Imagebase:0x7ffb73670000
                                                                                                    File size:1313280 bytes
                                                                                                    MD5 hash:6FC0B6BC27B1D5C59A1500E2AEA68722
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Reputation:low

                                                                                                    Analysis Process: RegSvcs.exe PID: 5576 Parent PID: 5528

                                                                                                    General

                                                                                                    Start time:10:05:37
                                                                                                    Start date:03/12/2020
                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:{path}
                                                                                                    Imagebase:0x310000
                                                                                                    File size:32768 bytes
                                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: RegSvcs.exe PID: 4576 Parent PID: 5528

                                                                                                    General

                                                                                                    Start time:10:05:38
                                                                                                    Start date:03/12/2020
                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:{path}
                                                                                                    Imagebase:0xc20000
                                                                                                    File size:32768 bytes
                                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.243203680.0000000003285000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.244641799.0000000004268000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: RegSvcs.exe PID: 1288 Parent PID: 4576

                                                                                                    General

                                                                                                    Start time:10:05:47
                                                                                                    Start date:03/12/2020
                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:{path}
                                                                                                    Imagebase:0x170000
                                                                                                    File size:32768 bytes
                                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: RegSvcs.exe PID: 5344 Parent PID: 4576

                                                                                                    General

                                                                                                    Start time:10:05:47
                                                                                                    Start date:03/12/2020
                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:{path}
                                                                                                    Imagebase:0xff0000
                                                                                                    File size:32768 bytes
                                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.492554955.00000000036E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.484525240.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: BAVLA.exe PID: 6188 Parent PID: 3388

                                                                                                    General

                                                                                                    Start time:10:06:02
                                                                                                    Start date:03/12/2020
                                                                                                    Path:C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe'
                                                                                                    Imagebase:0x270000
                                                                                                    File size:32768 bytes
                                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 0%, Metadefender, Browse
                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: conhost.exe PID: 6200 Parent PID: 6188

                                                                                                    General

                                                                                                    Start time:10:06:02
                                                                                                    Start date:03/12/2020
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6b2800000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: BAVLA.exe PID: 6708 Parent PID: 3388

                                                                                                    General

                                                                                                    Start time:10:06:10
                                                                                                    Start date:03/12/2020
                                                                                                    Path:C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\AppData\Roaming\BAVLA\BAVLA.exe'
                                                                                                    Imagebase:0xde0000
                                                                                                    File size:32768 bytes
                                                                                                    MD5 hash:71369277D09DA0830C8C59F9E22BB23A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: conhost.exe PID: 6724 Parent PID: 6708

                                                                                                    General

                                                                                                    Start time:10:06:11
                                                                                                    Start date:03/12/2020
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff6b2800000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Disassembly

                                                                                                    Code Analysis

                                                                                                    Reset < >