Windows Analysis Report
F#U0130YAT TEKL#U0130F.exe

Overview

General Information

Sample name: F#U0130YAT TEKL#U0130F.exe
renamed because original name is a hash value
Original sample name: FYAT TEKLF.exe
Analysis ID: 1430788
MD5: 47cc3bb8bb0427d4ce5da71c2cf3702f
SHA1: cb11ece89c4bb3cb337a32107af9504ed7deb89a
SHA256: 04d2e21d12836aeb42dea69f39783165668427397987d8ce55c94765effb844b
Tags: exegeoTUR
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.aquareklam.com", "Username": "info@aquareklam.com", "Password": "Aqua1923"}
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["mail.aquareklam.com"]}
Multi AV Scanner detection for submitted file
Source: F#U0130YAT TEKL#U0130F.exe ReversingLabs: Detection: 47%
Source: F#U0130YAT TEKL#U0130F.exe Virustotal: Detection: 39% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\directory\name.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: F#U0130YAT TEKL#U0130F.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49727 version: TLS 1.2
Source: Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4570703429.000000000322D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4574444368.0000000004693000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.3712788813.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3713380322.0000000003860000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3829363478.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3830095011.0000000003A60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: name.exe, 00000006.00000003.3712788813.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3713380322.0000000003860000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3829363478.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3830095011.0000000003A60000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_009EDBBE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009BC2A2 FindFirstFileExW, 0_2_009BC2A2
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F68EE FindFirstFileW,FindClose, 0_2_009F68EE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_009F698F
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_009ED076
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_009ED3A9
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_009F9642
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_009F979D
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_009F9B2B
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F5C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_009F5C97
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0101DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 6_2_0101DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FEC2A2 FindFirstFileExW, 6_2_00FEC2A2
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0102698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 6_2_0102698F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_010268EE FindFirstFileW,FindClose, 6_2_010268EE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0101D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_0101D076
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0101D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_0101D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0102979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_0102979D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01029642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_01029642
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01029B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 6_2_01029B2B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01025C97 FindFirstFileW,FindNextFileW,FindClose, 6_2_01025C97
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49725 -> 37.247.115.2:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49726 -> 37.247.115.2:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49728 -> 37.247.115.2:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49729 -> 37.247.115.2:587
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: mail.aquareklam.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49725 -> 37.247.115.2:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ACCESS2ITNL ACCESS2ITNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49725 -> 37.247.115.2:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009FCE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_009FCE44
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837231570.0000000002BD7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.00000000036BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.aquareklam.com
Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.0000000003650000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49727 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, K6raBsUk6.cs .Net Code: YvZf4568g
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_009FEAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_009FED6A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0102ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 6_2_0102ED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_009FEAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_009EAA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00A19576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00A19576
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01049576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 6_2_01049576

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.name.exe.3670000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 10.2.name.exe.12a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: F#U0130YAT TEKL#U0130F.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: F#U0130YAT TEKL#U0130F.exe, 00000000.00000000.2100955084.0000000000A42000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_8d142966-d
Source: F#U0130YAT TEKL#U0130F.exe, 00000000.00000000.2100955084.0000000000A42000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_922c6992-b
Source: F#U0130YAT TEKL#U0130F.exe, 00000000.00000003.3687606553.0000000004091000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_70620fdc-6
Source: F#U0130YAT TEKL#U0130F.exe, 00000000.00000003.3687606553.0000000004091000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_24c62a24-e
Source: name.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000006.00000002.3719840683.0000000001072000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_d332f53c-2
Source: name.exe, 00000006.00000002.3719840683.0000000001072000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_171f2d48-c
Source: name.exe, 0000000A.00000000.3821165393.0000000001072000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_d45bc43a-3
Source: name.exe, 0000000A.00000000.3821165393.0000000001072000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_c9457305-7
Source: F#U0130YAT TEKL#U0130F.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_8a319ad7-f
Source: F#U0130YAT TEKL#U0130F.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_e79f30e5-d
Source: name.exe.0.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_ee9b2f00-f
Source: name.exe.0.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_49987ad0-e
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009ED5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_009ED5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_009E1201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_009EE8F6
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0101E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 6_2_0101E8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F2046 0_2_009F2046
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00988060 0_2_00988060
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009E8298 0_2_009E8298
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009BE4FF 0_2_009BE4FF
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009B676B 0_2_009B676B
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00A14873 0_2_00A14873
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009ACAA0 0_2_009ACAA0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_0098CAF0 0_2_0098CAF0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_0099CC39 0_2_0099CC39
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009B6DD9 0_2_009B6DD9
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009891C0 0_2_009891C0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_0099B119 0_2_0099B119
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A1394 0_2_009A1394
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A781B 0_2_009A781B
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00987920 0_2_00987920
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_0099997D 0_2_0099997D
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A7A4A 0_2_009A7A4A
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A7CA7 0_2_009A7CA7
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009B9EEE 0_2_009B9EEE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00A0BE44 0_2_00A0BE44
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_023536C0 0_2_023536C0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FB8060 6_2_00FB8060
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01022046 6_2_01022046
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01018298 6_2_01018298
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FEE4FF 6_2_00FEE4FF
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FE676B 6_2_00FE676B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01044873 6_2_01044873
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FBCAF0 6_2_00FBCAF0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FDCAA0 6_2_00FDCAA0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FCCC39 6_2_00FCCC39
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FE6DD9 6_2_00FE6DD9
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FB91C0 6_2_00FB91C0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FCB119 6_2_00FCB119
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FD1394 6_2_00FD1394
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FD781B 6_2_00FD781B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FC997D 6_2_00FC997D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FB7920 6_2_00FB7920
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FD7A4A 6_2_00FD7A4A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FD7CA7 6_2_00FD7CA7
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FE9EEE 6_2_00FE9EEE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0103BE44 6_2_0103BE44
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FA36C0 6_2_00FA36C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00408C60 7_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0040DC11 7_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00407C3F 7_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00418CCC 7_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00406CA0 7_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004028B0 7_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041A4BE 7_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00418244 7_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00401650 7_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00402F20 7_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004193C4 7_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00418788 7_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00402F89 7_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00402B90 7_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004073A0 7_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_028ECE88 7_2_028ECE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_028EDAA0 7_2_028EDAA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_028ED1D0 7_2_028ED1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_028E0FD0 7_2_028E0FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_028E1030 7_2_028E1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0614EE88 7_2_0614EE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06149688 7_2_06149688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0614BCE8 7_2_0614BCE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06145A70 7_2_06145A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06146268 7_2_06146268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06140040 7_2_06140040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0614F5E8 7_2_0614F5E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06140006 7_2_06140006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06565240 7_2_06565240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0656A0E0 7_2_0656A0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_065661C8 7_2_065661C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06561530 7_2_06561530
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 10_2_011636C0 10_2_011636C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0316CE98 11_2_0316CE98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0316DAB0 11_2_0316DAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0316D1E0 11_2_0316D1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_03161030 11_2_03161030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0612EE88 11_2_0612EE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_06129688 11_2_06129688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0612BCE8 11_2_0612BCE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_06126268 11_2_06126268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_06120006 11_2_06120006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_06120040 11_2_06120040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_06ED0620 11_2_06ED0620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_06ED5420 11_2_06ED5420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_06EDA2C0 11_2_06EDA2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_06ED63A8 11_2_06ED63A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_06ED1710 11_2_06ED1710
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: String function: 0099F9F2 appears 40 times
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: String function: 009A0A30 appears 46 times
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: String function: 00989CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 00FCF9F2 appears 40 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 00FB9CB3 appears 31 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 00FD0A30 appears 46 times
Uses 32bit PE files
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 6.2.name.exe.3670000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 10.2.name.exe.12a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, c2bZQnG.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, c2bZQnG.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, Q1L0K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, Q1L0K.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@3/2
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F37B5 GetLastError,FormatMessageW, 0_2_009F37B5
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009E10BF AdjustTokenPrivileges,CloseHandle, 0_2_009E10BF
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_009E16C3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_010110BF AdjustTokenPrivileges,CloseHandle, 6_2_010110BF
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_010116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 6_2_010116C3
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_009F51CD
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00A0A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00A0A67C
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_009F648E
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_009842A2
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe File created: C:\Users\user\AppData\Local\directory Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe File created: C:\Users\user\AppData\Local\Temp\autBC22.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: F#U0130YAT TEKL#U0130F.exe ReversingLabs: Detection: 47%
Source: F#U0130YAT TEKL#U0130F.exe Virustotal: Detection: 39%
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe File read: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: F#U0130YAT TEKL#U0130F.exe Static file information: File size 1210368 > 1048576
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4570703429.000000000322D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4574444368.0000000004693000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: name.exe, 00000006.00000003.3712788813.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3713380322.0000000003860000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3829363478.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3830095011.0000000003A60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: name.exe, 00000006.00000003.3712788813.00000000036C0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000006.00000003.3713380322.0000000003860000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3829363478.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3830095011.0000000003A60000.00000004.00001000.00020000.00000000.sdmp
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: F#U0130YAT TEKL#U0130F.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_009842DE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A0A76 push ecx; ret 0_2_009A0A89
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FD0A76 push ecx; ret 6_2_00FD0A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041C40C push cs; iretd 7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00423149 push eax; ret 7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041C50E push cs; iretd 7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004231C8 push eax; ret 7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0040E21D push ecx; ret 7_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041C6BE push ebx; ret 7_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06565965 pushfd ; ret 7_2_06565967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_03164782 push ds; retf 11_2_03164797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_031639F0 pushad ; iretd 11_2_031639F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_03164842 push edx; iretd 11_2_03164843
Source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'OfMVLvGi4aA8w', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Drops PE files
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe File created: C:\Users\user\AppData\Local\directory\name.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_0099F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0099F98E
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00A11C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00A11C41
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FCF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 6_2_00FCF98E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01041C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 6_2_01041C41
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\AppData\Local\directory\name.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 7_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1917 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7920 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8816 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1046 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\directory\name.exe API coverage: 4.2 %
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_009EDBBE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009BC2A2 FindFirstFileExW, 0_2_009BC2A2
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F68EE FindFirstFileW,FindClose, 0_2_009F68EE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_009F698F
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_009ED076
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_009ED3A9
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_009F9642
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_009F979D
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_009F9B2B
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F5C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_009F5C97
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0101DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 6_2_0101DBBE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FEC2A2 FindFirstFileExW, 6_2_00FEC2A2
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0102698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 6_2_0102698F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_010268EE FindFirstFileW,FindClose, 6_2_010268EE
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0101D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_0101D076
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0101D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 6_2_0101D3A9
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_0102979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_0102979D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01029642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 6_2_01029642
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01029B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 6_2_01029B2B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01025C97 FindFirstFileW,FindNextFileW,FindClose, 6_2_01025C97
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_009842DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98560 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97327 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99863 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99726 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99624 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99201 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97509 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98994 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98016 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97141 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99937 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99488 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98020 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97437 Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: RegSvcs.exe, 00000007.00000002.3837231570.0000000002C7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.4571149713.000000000377A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: HGFS)
Source: RegSvcs.exe, 00000007.00000002.3839733441.000000000518E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 0000000B.00000002.4574968955.0000000005AF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009FEAA2 BlockInput, 0_2_009FEAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009B2622
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 7_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_009842DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A4CE8 mov eax, dword ptr fs:[00000030h] 0_2_009A4CE8
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_02353550 mov eax, dword ptr fs:[00000030h] 0_2_02353550
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_023535B0 mov eax, dword ptr fs:[00000030h] 0_2_023535B0
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_02351ED0 mov eax, dword ptr fs:[00000030h] 0_2_02351ED0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FD4CE8 mov eax, dword ptr fs:[00000030h] 6_2_00FD4CE8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FA35B0 mov eax, dword ptr fs:[00000030h] 6_2_00FA35B0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FA3550 mov eax, dword ptr fs:[00000030h] 6_2_00FA3550
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FA1ED0 mov eax, dword ptr fs:[00000030h] 6_2_00FA1ED0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 10_2_011635B0 mov eax, dword ptr fs:[00000030h] 10_2_011635B0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 10_2_01163550 mov eax, dword ptr fs:[00000030h] 10_2_01163550
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 10_2_01161ED0 mov eax, dword ptr fs:[00000030h] 10_2_01161ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_009E0B62
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009B2622
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_009A083F
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A09D5 SetUnhandledExceptionFilter, 0_2_009A09D5
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_009A0C21
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00FE2622
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00FD083F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FD09D5 SetUnhandledExceptionFilter, 6_2_00FD09D5
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_00FD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00FD0C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004123F1 SetUnhandledExceptionFilter, 7_2_004123F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 90D008 Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10A0008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_009E1201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009C2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_009C2BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009EB226 SendInput,keybd_event, 0_2_009EB226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00A022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_00A022DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_009E0B62
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_009E1663
Source: F#U0130YAT TEKL#U0130F.exe, name.exe.0.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: F#U0130YAT TEKL#U0130F.exe, name.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009A0698 cpuid 0_2_009A0698
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA, 7_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_009F8195
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009DD27A GetUserNameW, 0_2_009DD27A
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009BB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_009BB952
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_009842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_009842DE
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.4571149713.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837231570.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.4571149713.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.4571149713.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837231570.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2540, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 6.2.name.exe.3670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.name.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: name.exe Binary or memory string: WIN_81
Source: name.exe Binary or memory string: WIN_XP
Source: name.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: name.exe Binary or memory string: WIN_XPe
Source: name.exe Binary or memory string: WIN_VISTA
Source: name.exe Binary or memory string: WIN_7
Source: name.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2540, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.4571149713.0000000003694000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.4571149713.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837231570.0000000002BBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.4571149713.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.4571149713.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837231570.0000000002B94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837231570.0000000002BC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 2540, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.274f4de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b93d90.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b46458.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5240000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3b45570.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.27503c6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ae0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3838840579.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3835842078.000000000270F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3837117368.0000000002AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3840117375.0000000005240000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 6.2.name.exe.3670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.name.exe.12a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3833407043.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3720636618.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3833226149.00000000012A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00A01204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_00A01204
Source: C:\Users\user\Desktop\F#U0130YAT TEKL#U0130F.exe Code function: 0_2_00A01806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00A01806
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01031204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 6_2_01031204
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 6_2_01031806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 6_2_01031806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430788 Sample: F#U0130YAT TEKL#U0130F.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 30 mail.aquareklam.com 2->30 32 api.ipify.org 2->32 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 12 other signatures 2->44 8 F#U0130YAT TEKL#U0130F.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\name.exe, PE32 8->26 dropped 56 Binary is likely a compiled AutoIt script file 8->56 14 name.exe 3 8->14         started        58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->58 18 name.exe 2 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\Roaming\...\name.vbs, data 14->28 dropped 60 Binary is likely a compiled AutoIt script file 14->60 62 Machine Learning detection for dropped file 14->62 64 Drops VBS files to the startup folder 14->64 66 Found API chain indicative of sandbox detection 14->66 20 RegSvcs.exe 15 2 14->20         started        68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 34 mail.aquareklam.com 37.247.115.2, 49725, 49726, 49728 ACCESS2ITNL Turkey 20->34 36 api.ipify.org 104.26.12.205, 443, 49724, 49727 CLOUDFLARENETUS United States 20->36 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->46 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->48 50 Tries to steal Mail credentials (via file / registry access) 24->50 52 Tries to harvest and steal ftp login credentials 24->52 54 Tries to harvest and steal browser information (history, passwords, etc) 24->54 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
37.247.115.2
 mail.aquareklam.com Turkey
208258 ACCESS2ITNL true

Contacted Domains

Name IP Active
api.ipify.org 104.26.12.205 true
mail.aquareklam.com 37.247.115.2 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    mail.aquareklam.com true
    • 4%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown