Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER_66688IO875545422245.exe

Overview

General Information

Sample name:ORDER_66688IO875545422245.exe
Analysis ID:1629222
MD5:307dc835a89d887c44cd2176938eefb2
SHA1:0da89738593ccff0c59f6c808298761a8b32a0b1
SHA256:9844bc2feea19d53abd61aa595b1e0bad7bc4eec0b62445ee49ce978fc276f78
Tags:exeuser-julianmckein
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ORDER_66688IO875545422245.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\ORDER_66688IO875545422245.exe" MD5: 307DC835A89D887C44CD2176938EEFB2)
    • drawlingly.exe (PID: 6108 cmdline: "C:\Users\user\Desktop\ORDER_66688IO875545422245.exe" MD5: 307DC835A89D887C44CD2176938EEFB2)
      • RegSvcs.exe (PID: 5208 cmdline: "C:\Users\user\Desktop\ORDER_66688IO875545422245.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 5676 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • drawlingly.exe (PID: 6496 cmdline: "C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe" MD5: 307DC835A89D887C44CD2176938EEFB2)
      • RegSvcs.exe (PID: 6088 cmdline: "C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2277021292.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.2277021292.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.3377153250.0000000002E55000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.2280877966.0000000002945000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.drawlingly.exe.1ab0000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              5.2.drawlingly.exe.1ab0000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.drawlingly.exe.1ab0000.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x343c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x34437:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x344c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x34553:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x345bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3462f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x346c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x34755:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                5.2.drawlingly.exe.1ab0000.1.raw.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x3158d:$s2: GetPrivateProfileString
                • 0x30c5d:$s3: get_OSFullName
                • 0x322a3:$s5: remove_Key
                • 0x32493:$s5: remove_Key
                • 0x333ac:$s6: FtpWebRequest
                • 0x343a7:$s7: logins
                • 0x34919:$s7: logins
                • 0x375fc:$s7: logins
                • 0x376dc:$s7: logins
                • 0x39031:$s7: logins
                • 0x38276:$s9: 1.85 (Hash, version 2, native byte-order)
                2.2.drawlingly.exe.1280000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 15 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs" , ProcessId: 5676, ProcessName: wscript.exe
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs" , ProcessId: 5676, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe, ProcessId: 6108, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "sarthiever@fosna.net", "Password": "(=8fPSH$KO_!"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeReversingLabs: Detection: 65%
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeVirustotal: Detection: 56%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: ORDER_66688IO875545422245.exeReversingLabs: Detection: 65%
                  Source: ORDER_66688IO875545422245.exeVirustotal: Detection: 56%Perma Link
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Source: ORDER_66688IO875545422245.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: drawlingly.exe, 00000002.00000003.2153527047.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000002.00000003.2154685899.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000003.2276653024.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000003.2275429373.0000000003B10000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: drawlingly.exe, 00000002.00000003.2153527047.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000002.00000003.2154685899.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000003.2276653024.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000003.2275429373.0000000003B10000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_008E445A
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EC6D1 FindFirstFileW,FindClose,0_2_008EC6D1
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_008EC75C
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EEF95
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EF0F2
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EF3F3
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E37EF
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E3B12
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EBCBC
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0023445A
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023C6D1 FindFirstFileW,FindClose,2_2_0023C6D1
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0023C75C
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0023EF95
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0023F0F2
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0023F3F3
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_002337EF
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_00233B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00233B12
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0023BCBC
                  Source: global trafficTCP traffic: 192.168.2.6:57326 -> 162.159.36.2:53
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_008F22EE
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
                  Source: RegSvcs.exe, 00000003.00000002.2280877966.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2280877966.0000000002911000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2280877966.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002E2B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002F03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: drawlingly.exe, 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2277021292.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2277908955.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2280877966.0000000002911000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2280877966.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002E2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: RegSvcs.exe, 00000006.00000002.3376647074.000000000121D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingJhy
                  Source: RegSvcs.exe, 00000006.00000002.3376647074.000000000121D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingih
                  Source: RegSvcs.exe, 00000003.00000002.2280877966.0000000002911000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2280877966.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002EE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002E2B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: drawlingly.exe, 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2277021292.0000000000402000.00000040.80000000.00040000.00000000.sdmp, drawlingly.exe, 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, oAKy.cs.Net Code: ExGJKp0bbyd
                  Source: 5.2.drawlingly.exe.1ab0000.1.raw.unpack, oAKy.cs.Net Code: ExGJKp0bbyd
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_008F4164
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_008F4164
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_00244164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00244164
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008F3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_008F3F66
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_008E001C
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_0090CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0090CABC
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0025CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0025CABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 5.2.drawlingly.exe.1ab0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.drawlingly.exe.1ab0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 2.2.drawlingly.exe.1280000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.drawlingly.exe.1280000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 5.2.drawlingly.exe.1ab0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.drawlingly.exe.1ab0000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: This is a third-party compiled AutoIt script.0_2_00883B3A
                  Source: ORDER_66688IO875545422245.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: ORDER_66688IO875545422245.exe, 00000000.00000003.2134584922.0000000004243000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_51872206-5
                  Source: ORDER_66688IO875545422245.exe, 00000000.00000003.2134584922.0000000004243000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b01f52c7-a
                  Source: ORDER_66688IO875545422245.exe, 00000000.00000002.2135764710.0000000000934000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ec003618-8
                  Source: ORDER_66688IO875545422245.exe, 00000000.00000002.2135764710.0000000000934000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_fbb5f35c-9
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: This is a third-party compiled AutoIt script.2_2_001D3B3A
                  Source: drawlingly.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: drawlingly.exe, 00000002.00000002.2155389814.0000000000284000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_be185509-f
                  Source: drawlingly.exe, 00000002.00000002.2155389814.0000000000284000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ea42ef7d-e
                  Source: drawlingly.exe, 00000005.00000000.2256515169.0000000000284000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e2a184b9-c
                  Source: drawlingly.exe, 00000005.00000000.2256515169.0000000000284000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_4f416e6e-a
                  Source: ORDER_66688IO875545422245.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_db6069f3-b
                  Source: ORDER_66688IO875545422245.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_dcb97459-a
                  Source: drawlingly.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4f94a71d-8
                  Source: drawlingly.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a25906ff-e
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: ORDER_66688IO875545422245.exe
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_008EA1EF
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008D8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_008D8310
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008E51BD
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_002351BD
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008AD9750_2_008AD975
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A21C50_2_008A21C5
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008B62D20_2_008B62D2
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_009003DA0_2_009003DA
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008B242E0_2_008B242E
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A25FA0_2_008A25FA
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_0088E6A00_2_0088E6A0
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008966E10_2_008966E1
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008DE6160_2_008DE616
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008B878F0_2_008B878F
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E88890_2_008E8889
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008988080_2_00898808
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_009008570_2_00900857
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008B68440_2_008B6844
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008ACB210_2_008ACB21
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008B6DB60_2_008B6DB6
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_00896F9E0_2_00896F9E
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008930300_2_00893030
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A31870_2_008A3187
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008AF1D90_2_008AF1D9
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008812870_2_00881287
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A14840_2_008A1484
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008955200_2_00895520
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A76960_2_008A7696
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008957600_2_00895760
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A19780_2_008A1978
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008B9AB50_2_008B9AB5
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_0088FCE00_2_0088FCE0
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A1D900_2_008A1D90
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008ABDA60_2_008ABDA6
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_00907DDB0_2_00907DDB
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_00893FE00_2_00893FE0
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_0088DF000_2_0088DF00
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_0186C3D00_2_0186C3D0
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001DE6A02_2_001DE6A0
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001FD9752_2_001FD975
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001DFCE02_2_001DFCE0
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001F21C52_2_001F21C5
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002062D22_2_002062D2
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002503DA2_2_002503DA
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0020242E2_2_0020242E
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001F25FA2_2_001F25FA
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0022E6162_2_0022E616
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001E66E12_2_001E66E1
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0020878F2_2_0020878F
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001E88082_2_001E8808
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002068442_2_00206844
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002508572_2_00250857
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002388892_2_00238889
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001FCB212_2_001FCB21
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_00206DB62_2_00206DB6
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001E6F9E2_2_001E6F9E
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001E30302_2_001E3030
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001F31872_2_001F3187
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001FF1D92_2_001FF1D9
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001D12872_2_001D1287
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001F14842_2_001F1484
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001E55202_2_001E5520
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001F76962_2_001F7696
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001E57602_2_001E5760
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001F19782_2_001F1978
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_00209AB52_2_00209AB5
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001F1D902_2_001F1D90
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001FBDA62_2_001FBDA6
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_00257DDB2_2_00257DDB
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001DDF002_2_001DDF00
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001E3FE02_2_001E3FE0
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0135AAC82_2_0135AAC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E7A6E03_2_00E7A6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E7D8903_2_00E7D890
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E74A883_2_00E74A88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E73E703_2_00E73E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E741B83_2_00E741B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060623003_2_06062300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060611503_2_06061150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06063AB03_2_06063AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060633C83_2_060633C8
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 5_2_0133A2F05_2_0133A2F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C7A6C56_2_02C7A6C5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C74A886_2_02C74A88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C7D8906_2_02C7D890
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C73E706_2_02C73E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C741B86_2_02C741B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C77A706_2_02C77A70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_067323006_2_06732300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_067311506_2_06731150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06733AB06_2_06733AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_067333C86_2_067333C8
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: String function: 00887DE1 appears 35 times
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: String function: 008A0AE3 appears 70 times
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: String function: 008A8900 appears 42 times
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: String function: 001D7DE1 appears 35 times
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: String function: 001F8900 appears 42 times
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: String function: 001F0AE3 appears 70 times
                  Source: ORDER_66688IO875545422245.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 5.2.drawlingly.exe.1ab0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.drawlingly.exe.1ab0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 2.2.drawlingly.exe.1280000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.drawlingly.exe.1280000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 5.2.drawlingly.exe.1ab0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.drawlingly.exe.1ab0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, ekKu0.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, vKf1z6NvS.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, ZNAvlD7qmXc.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, U2doU2.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, BgffYko.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, HrTdA63.csCryptographic APIs: 'CreateDecryptor'
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.drawlingly.exe.1280000.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@3/1
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EA06A GetLastError,FormatMessageW,0_2_008EA06A
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008D81CB AdjustTokenPrivileges,CloseHandle,0_2_008D81CB
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008D87E1
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002281CB AdjustTokenPrivileges,CloseHandle,2_2_002281CB
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_002287E1
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_008EB3FB
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_008FEE0D
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EC397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_008EC397
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_00884E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00884E89
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeFile created: C:\Users\user\AppData\Local\exhilaratinglyJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeFile created: C:\Users\user\AppData\Local\Temp\autF179.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs"
                  Source: ORDER_66688IO875545422245.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000003.00000002.2280877966.0000000002A11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2280877966.0000000002A23000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: ORDER_66688IO875545422245.exeReversingLabs: Detection: 65%
                  Source: ORDER_66688IO875545422245.exeVirustotal: Detection: 56%
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeFile read: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\ORDER_66688IO875545422245.exe "C:\Users\user\Desktop\ORDER_66688IO875545422245.exe"
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeProcess created: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe "C:\Users\user\Desktop\ORDER_66688IO875545422245.exe"
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ORDER_66688IO875545422245.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe "C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe"
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe"
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeProcess created: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe "C:\Users\user\Desktop\ORDER_66688IO875545422245.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ORDER_66688IO875545422245.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe "C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: ORDER_66688IO875545422245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: ORDER_66688IO875545422245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: ORDER_66688IO875545422245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: ORDER_66688IO875545422245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: ORDER_66688IO875545422245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: ORDER_66688IO875545422245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: ORDER_66688IO875545422245.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: drawlingly.exe, 00000002.00000003.2153527047.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000002.00000003.2154685899.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000003.2276653024.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000003.2275429373.0000000003B10000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: drawlingly.exe, 00000002.00000003.2153527047.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000002.00000003.2154685899.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000003.2276653024.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000003.2275429373.0000000003B10000.00000004.00001000.00020000.00000000.sdmp
                  Source: ORDER_66688IO875545422245.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: ORDER_66688IO875545422245.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: ORDER_66688IO875545422245.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: ORDER_66688IO875545422245.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: ORDER_66688IO875545422245.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_00884B37 LoadLibraryA,GetProcAddress,0_2_00884B37
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A8945 push ecx; ret 0_2_008A8958
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001F8945 push ecx; ret 2_2_001F8958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E70285 push cs; iretd 3_2_00E701DB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E70A35 push eax; iretd 3_2_00E70A3F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C70A35 push eax; iretd 6_2_02C70A3F
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeFile created: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\drawlingly.vbsJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008848D7
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_00905376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00905376
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_001D48D7
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_00255376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00255376
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008A3187
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: drawlingly.exe PID: 6108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: drawlingly.exe PID: 6496, type: MEMORYSTR
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeAPI/Special instruction interceptor: Address: 135A6EC
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeAPI/Special instruction interceptor: Address: 1339F14
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: drawlingly.exe, 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2277021292.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2280877966.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2280877966.0000000002945000.00000004.00000800.00020000.00000000.sdmp, drawlingly.exe, 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3377153250.0000000002F03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105866
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeAPI coverage: 4.3 %
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeAPI coverage: 4.7 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_008E445A
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EC6D1 FindFirstFileW,FindClose,0_2_008EC6D1
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_008EC75C
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EEF95
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EF0F2
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EF3F3
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E37EF
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E3B12
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EBCBC
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0023445A
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023C6D1 FindFirstFileW,FindClose,2_2_0023C6D1
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0023C75C
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0023EF95
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0023F0F2
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0023F3F3
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_002337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_002337EF
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_00233B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00233B12
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0023BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0023BCBC
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008849A0
                  Source: RegSvcs.exe, 00000006.00000002.3377153250.0000000002F03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: RegSvcs.exe, 00000006.00000002.3377153250.0000000002F03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: RegSvcs.exe, 00000006.00000002.3378431050.0000000006165000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
                  Source: drawlingly.exe, 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                  Source: RegSvcs.exe, 00000003.00000002.2282895649.0000000005B8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeAPI call chain: ExitProcess graph end nodegraph_0-104369

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00E77070 CheckRemoteDebuggerPresent,3_2_00E77070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008F3F09 BlockInput,0_2_008F3F09
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00883B3A
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008B5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_008B5A7C
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_00884B37 LoadLibraryA,GetProcAddress,0_2_00884B37
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_0186C2C0 mov eax, dword ptr fs:[00000030h]0_2_0186C2C0
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_0186C260 mov eax, dword ptr fs:[00000030h]0_2_0186C260
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_0186AC30 mov eax, dword ptr fs:[00000030h]0_2_0186AC30
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_01359328 mov eax, dword ptr fs:[00000030h]2_2_01359328
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0135A958 mov eax, dword ptr fs:[00000030h]2_2_0135A958
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_0135A9B8 mov eax, dword ptr fs:[00000030h]2_2_0135A9B8
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 5_2_0133A180 mov eax, dword ptr fs:[00000030h]5_2_0133A180
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 5_2_0133A1E0 mov eax, dword ptr fs:[00000030h]5_2_0133A1E0
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 5_2_01338B50 mov eax, dword ptr fs:[00000030h]5_2_01338B50
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008D80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_008D80A9
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008AA124 SetUnhandledExceptionFilter,0_2_008AA124
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008AA155
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001FA124 SetUnhandledExceptionFilter,2_2_001FA124
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_001FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_001FA155
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 66D008Jump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DDE008Jump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008D87B1 LogonUserW,0_2_008D87B1
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00883B3A
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008848D7
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008E4C27 mouse_event,0_2_008E4C27
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ORDER_66688IO875545422245.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe "C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008D7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_008D7CAF
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_008D874B
                  Source: ORDER_66688IO875545422245.exe, drawlingly.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: ORDER_66688IO875545422245.exe, drawlingly.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008A862B cpuid 0_2_008A862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008B4E87
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008C1E06 GetUserNameW,0_2_008C1E06
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_008B3F3A
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008849A0
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.drawlingly.exe.1ab0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.drawlingly.exe.1280000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.drawlingly.exe.1280000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.drawlingly.exe.1ab0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2277021292.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: drawlingly.exe PID: 6108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5208, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: drawlingly.exe PID: 6496, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: drawlingly.exeBinary or memory string: WIN_81
                  Source: drawlingly.exeBinary or memory string: WIN_XP
                  Source: drawlingly.exeBinary or memory string: WIN_XPe
                  Source: drawlingly.exeBinary or memory string: WIN_VISTA
                  Source: drawlingly.exeBinary or memory string: WIN_7
                  Source: drawlingly.exeBinary or memory string: WIN_8
                  Source: drawlingly.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 5.2.drawlingly.exe.1ab0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.drawlingly.exe.1280000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.drawlingly.exe.1280000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.drawlingly.exe.1ab0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2277021292.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3377153250.0000000002E55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2280877966.0000000002945000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: drawlingly.exe PID: 6108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5208, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: drawlingly.exe PID: 6496, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 5.2.drawlingly.exe.1ab0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.drawlingly.exe.1280000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.drawlingly.exe.1280000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.drawlingly.exe.1ab0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2277021292.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2156125410.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2279266294.0000000001AB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: drawlingly.exe PID: 6108, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5208, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: drawlingly.exe PID: 6496, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_008F6283
                  Source: C:\Users\user\Desktop\ORDER_66688IO875545422245.exeCode function: 0_2_008F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_008F6747
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_00246283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00246283
                  Source: C:\Users\user\AppData\Local\exhilaratingly\drawlingly.exeCode function: 2_2_00246747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00246747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		221
                  Windows Management Instrumentation                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		Security Account Manager2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		2
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets751
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Cached Domain Credentials22
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1629222 Sample: ORDER_66688IO875545422245.exe Startdate: 04/03/2025 Architecture: WINDOWS Score: 100 30 ip-api.com 2->30 32 241.42.69.40.in-addr.arpa 2->32 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 9 other signatures 2->42 8 ORDER_66688IO875545422245.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\drawlingly.exe, PE32 8->26 dropped 54 Binary is likely a compiled AutoIt script file 8->54 14 drawlingly.exe 2 8->14         started        56 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->56 18 drawlingly.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\drawlingly.vbs, data 14->28 dropped 58 Multi AV Scanner detection for dropped file 14->58 60 Binary is likely a compiled AutoIt script file 14->60 62 Drops VBS files to the startup folder 14->62 68 2 other signatures 14->68 20 RegSvcs.exe 15 2 14->20         started        64 Writes to foreign memory regions 18->64 66 Maps a DLL or memory area into another process 18->66 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 34 ip-api.com 208.95.112.1, 49710, 49765, 80 TUT-ASUS United States 20->34 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->46 48 Tries to steal Mail credentials (via file / registry access) 20->48 50 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->50 52 Tries to harvest and steal browser information (history, passwords, etc) 24->52 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.