Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oCPGyn28rc.exe

Overview

General Information

Sample name:oCPGyn28rc.exe
renamed because original name is a hash value
Original sample name:0091db5e3fa6269fa2ad8b54f797334f142678fd78b7099063c3ece593e9fc1f.exe
Analysis ID:1631773
MD5:21005adbeddc7ca0f5cf6d0aa9fbe39a
SHA1:7134844a16b7e7c07b18765e405af39ebf969238
SHA256:0091db5e3fa6269fa2ad8b54f797334f142678fd78b7099063c3ece593e9fc1f
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • oCPGyn28rc.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\oCPGyn28rc.exe" MD5: 21005ADBEDDC7CA0F5CF6D0AA9FBE39A)
    • Citlaltpetl.exe (PID: 6812 cmdline: "C:\Users\user\Desktop\oCPGyn28rc.exe" MD5: 21005ADBEDDC7CA0F5CF6D0AA9FBE39A)
      • RegSvcs.exe (PID: 6900 cmdline: "C:\Users\user\Desktop\oCPGyn28rc.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 2772 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Citlaltpetl.exe (PID: 5404 cmdline: "C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe" MD5: 21005ADBEDDC7CA0F5CF6D0AA9FBE39A)
      • RegSvcs.exe (PID: 5224 cmdline: "C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.daipro.com.mx", "Username": "contabilidad@daipro.com.mx", "Password": "DAIpro123**"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1200036913.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000002.1200036913.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
          • 0x3418f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
          • 0x34201:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
          • 0x3428b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
          • 0x3431d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
          • 0x34387:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
          • 0x343f9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
          • 0x3448f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
          • 0x3451f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              3.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x3418f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
              • 0x34201:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
              • 0x3428b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x3431d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x34387:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x343f9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x3448f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x3451f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              5.2.Citlaltpetl.exe.ef0000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                5.2.Citlaltpetl.exe.ef0000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 10 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4076, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs" , ProcessId: 2772, ProcessName: wscript.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 144.217.198.22, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 5224, Protocol: tcp, SourceIp: 192.168.2.11, SourceIsIpv6: false, SourcePort: 49708
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4076, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs" , ProcessId: 2772, ProcessName: wscript.exe

                  Data Obfuscation

                  barindex
                  Sigma detected: Drops script at startup location
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe, ProcessId: 6812, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: oCPGyn28rc.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeAvira: detection malicious, Label: TR/AD.GenSteal.mluwh
                  Found malware configuration
                  Source: 5.2.Citlaltpetl.exe.ef0000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.daipro.com.mx", "Username": "contabilidad@daipro.com.mx", "Password": "DAIpro123**"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeReversingLabs: Detection: 65%
                  Multi AV Scanner detection for submitted file
                  Source: oCPGyn28rc.exeVirustotal: Detection: 70%Perma Link
                  Source: oCPGyn28rc.exeReversingLabs: Detection: 65%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: oCPGyn28rc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: Citlaltpetl.exe, 00000002.00000003.1082199932.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000002.00000003.1080904872.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000003.1199119266.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000003.1197208710.0000000003410000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Citlaltpetl.exe, 00000002.00000003.1082199932.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000002.00000003.1080904872.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000003.1199119266.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000003.1197208710.0000000003410000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E34696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E34696
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E3C9C7
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3C93C FindFirstFileW,FindClose,0_2_00E3C93C
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E3F200
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E3F35D
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E3F65E
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E33A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E33A2B
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E33D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E33D4E
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E3BF27
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00614696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00614696
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061C93C FindFirstFileW,FindClose,2_2_0061C93C
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0061C9C7
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0061F200
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0061F35D
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0061F65E
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00613A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00613A2B
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00613D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00613D4E
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0061BF27
                  Source: global trafficTCP traffic: 192.168.2.11:49708 -> 144.217.198.22:587
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: ip-api.com
                  Source: global trafficTCP traffic: 192.168.2.11:49708 -> 144.217.198.22:587
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E425E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00E425E2
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: mail.daipro.com.mx
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000003030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                  Source: RegSvcs.exe, 00000006.00000002.3499965482.0000000002A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://daipro.com.mx
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000003054000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3499965482.00000000029ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: Citlaltpetl.exe, 00000002.00000002.1085144635.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1200036913.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.0000000003054000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3499965482.00000000029ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: RegSvcs.exe, 00000006.00000002.3499965482.0000000002A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.daipro.com.mx
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3499965482.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Citlaltpetl.exe, 00000002.00000002.1085144635.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1200036913.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000003028000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipif8
                  Source: Citlaltpetl.exe, 00000002.00000002.1085144635.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1200036913.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.0000000003014000.00000004.00000800.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3499965482.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3499965482.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000003014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/TR
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000003014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/p
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000003014000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000003030000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgD
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, 8AYyiOU7.cs.Net Code: rmF
                  Source: 5.2.Citlaltpetl.exe.ef0000.1.raw.unpack, 8AYyiOU7.cs.Net Code: rmF
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E4425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E4425A
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E44458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E44458
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00624458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00624458
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E4425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E4425A
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E30219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00E30219
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E5CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E5CDAC
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0063CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0063CDAC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.Citlaltpetl.exe.ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 5.2.Citlaltpetl.exe.ef0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000002.00000002.1085144635.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: This is a third-party compiled AutoIt script.0_2_00DD3B4C
                  Source: oCPGyn28rc.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: oCPGyn28rc.exe, 00000000.00000002.1056418518.0000000000E85000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_10a96127-7
                  Source: oCPGyn28rc.exe, 00000000.00000002.1056418518.0000000000E85000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e1560209-e
                  Source: oCPGyn28rc.exe, 00000000.00000003.1053574055.0000000003F55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_81087d3d-c
                  Source: oCPGyn28rc.exe, 00000000.00000003.1053574055.0000000003F55000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_38c05198-a
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: This is a third-party compiled AutoIt script.2_2_005B3B4C
                  Source: Citlaltpetl.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: Citlaltpetl.exe, 00000002.00000000.1054168315.0000000000665000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3d6ee2a3-4
                  Source: Citlaltpetl.exe, 00000002.00000000.1054168315.0000000000665000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8fb94d72-3
                  Source: Citlaltpetl.exe, 00000005.00000000.1172971282.0000000000665000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f37a1b28-8
                  Source: Citlaltpetl.exe, 00000005.00000000.1172971282.0000000000665000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8f54ad17-a
                  Source: oCPGyn28rc.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_18506d59-4
                  Source: oCPGyn28rc.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ec42d489-6
                  Source: Citlaltpetl.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_dee28185-2
                  Source: Citlaltpetl.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_74dd0031-f
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E340B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00E340B1
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E28858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00E28858
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E3545F
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0061545F
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DDE8000_2_00DDE800
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DFDBB50_2_00DFDBB5
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DDFE400_2_00DDFE40
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E5804A0_2_00E5804A
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DDE0600_2_00DDE060
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DE41400_2_00DE4140
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DF24050_2_00DF2405
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E065220_2_00E06522
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E506650_2_00E50665
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E0267E0_2_00E0267E
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DE68430_2_00DE6843
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DF283A0_2_00DF283A
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E089DF0_2_00E089DF
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E50AE20_2_00E50AE2
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E06A940_2_00E06A94
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DE8A0E0_2_00DE8A0E
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E2EB070_2_00E2EB07
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E38B130_2_00E38B13
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DFCD610_2_00DFCD61
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E070060_2_00E07006
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DE31900_2_00DE3190
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DE710E0_2_00DE710E
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DD12870_2_00DD1287
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DF33C70_2_00DF33C7
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DF16C40_2_00DF16C4
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DE56800_2_00DE5680
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DE58C00_2_00DE58C0
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DF1BB80_2_00DF1BB8
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DF1FD00_2_00DF1FD0
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DFBFE60_2_00DFBFE6
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_0183FBD80_2_0183FBD8
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005BE8002_2_005BE800
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005DDBB52_2_005DDBB5
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005BFE402_2_005BFE40
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0063804A2_2_0063804A
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005BE0602_2_005BE060
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005C41402_2_005C4140
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005D24052_2_005D2405
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005E65222_2_005E6522
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_006306652_2_00630665
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005E267E2_2_005E267E
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005C68432_2_005C6843
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005D283A2_2_005D283A
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005E89DF2_2_005E89DF
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005C8A0E2_2_005C8A0E
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00630AE22_2_00630AE2
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005E6A942_2_005E6A94
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0060EB072_2_0060EB07
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00618B132_2_00618B13
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005DCD612_2_005DCD61
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005E70062_2_005E7006
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005C710E2_2_005C710E
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005C31902_2_005C3190
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005B12872_2_005B1287
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005D33C72_2_005D33C7
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005DF4192_2_005DF419
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005D16C42_2_005D16C4
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005C56802_2_005C5680
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005D78D32_2_005D78D3
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005C58C02_2_005C58C0
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005D1BB82_2_005D1BB8
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005E9D052_2_005E9D05
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005D1FD02_2_005D1FD0
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005DBFE62_2_005DBFE6
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00C316C82_2_00C316C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_014F41F83_2_014F41F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_014FB7B03_2_014FB7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_014FAB383_2_014FAB38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_014F4AC83_2_014F4AC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_014F3EB03_2_014F3EB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C223583_2_06C22358
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C200403_2_06C20040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_06C200213_2_06C20021
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 5_2_011C46205_2_011C4620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E8B7B06_2_00E8B7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E84AC86_2_00E84AC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E8EA386_2_00E8EA38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E83EB06_2_00E83EB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E841F86_2_00E841F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_066723586_2_06672358
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_066779606_2_06677960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0667C1686_2_0667C168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_066761D06_2_066761D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_066751806_2_06675180
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_066772806_2_06677280
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0667E3886_2_0667E388
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_066700406_2_06670040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_066758D06_2_066758D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_066700066_2_06670006
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: String function: 00DD7F41 appears 35 times
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: String function: 00DF0D27 appears 70 times
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: String function: 00DF8B40 appears 42 times
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: String function: 005D0D27 appears 70 times
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: String function: 005B7F41 appears 35 times
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: String function: 005D8B40 appears 42 times
                  Source: oCPGyn28rc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.Citlaltpetl.exe.ef0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5.2.Citlaltpetl.exe.ef0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000002.00000002.1085144635.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, pedwBeAo9.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, Mi6W.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, s0nDliRGT.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, UGDeyt2ww1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, xpue.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, u4JW9.csCryptographic APIs: 'CreateDecryptor'
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, EBT4fOCjU.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, EBT4fOCjU.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, EBT4fOCjU.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, EBT4fOCjU.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@3/3
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3A2D5 GetLastError,FormatMessageW,0_2_00E3A2D5
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E28713 AdjustTokenPrivileges,CloseHandle,0_2_00E28713
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E28CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E28CC3
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00608713 AdjustTokenPrivileges,CloseHandle,2_2_00608713
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00608CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00608CC3
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E3B59E
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E4F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E4F121
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E486D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00E486D0
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DD4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00DD4FE9
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeFile created: C:\Users\user\AppData\Local\pluffJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeFile created: C:\Users\user\AppData\Local\Temp\aut820D.tmpJump to behavior
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs"
                  Source: oCPGyn28rc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000003.00000002.1203762555.0000000003081000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.000000000306F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: oCPGyn28rc.exeVirustotal: Detection: 70%
                  Source: oCPGyn28rc.exeReversingLabs: Detection: 65%
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeFile read: C:\Users\user\Desktop\oCPGyn28rc.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\oCPGyn28rc.exe "C:\Users\user\Desktop\oCPGyn28rc.exe"
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeProcess created: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe "C:\Users\user\Desktop\oCPGyn28rc.exe"
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\oCPGyn28rc.exe"
                  Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe "C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe"
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe"
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeProcess created: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe "C:\Users\user\Desktop\oCPGyn28rc.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\oCPGyn28rc.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe "C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: oCPGyn28rc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: oCPGyn28rc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: oCPGyn28rc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: oCPGyn28rc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: oCPGyn28rc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: oCPGyn28rc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: oCPGyn28rc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: Citlaltpetl.exe, 00000002.00000003.1082199932.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000002.00000003.1080904872.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000003.1199119266.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000003.1197208710.0000000003410000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: Citlaltpetl.exe, 00000002.00000003.1082199932.0000000003640000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000002.00000003.1080904872.00000000034A0000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000003.1199119266.0000000003930000.00000004.00001000.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000003.1197208710.0000000003410000.00000004.00001000.00020000.00000000.sdmp
                  Source: oCPGyn28rc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: oCPGyn28rc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: oCPGyn28rc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: oCPGyn28rc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: oCPGyn28rc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E4C304 LoadLibraryA,GetProcAddress,0_2_00E4C304
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DF8B85 push ecx; ret 0_2_00DF8B98
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DFF778 push esp; retf 0_2_00DFF780
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DFFDA8 push esp; retf 0_2_00DFFDA9
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005D8B85 push ecx; ret 2_2_005D8B98
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00C31DFC push ebx; retf 2_2_00C31E00
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 5_2_011C4D24 push ebx; retf 5_2_011C4D28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E8AB38 push eax; retf 6_2_00E8AE99
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeFile created: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeJump to dropped file

                  Boot Survival

                  barindex
                  Drops VBS files to the startup folder
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbsJump to dropped file
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbsJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citlaltpetl.vbsJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DD4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DD4A35
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E555FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E555FD
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005B4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_005B4A35
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_006355FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_006355FD
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DF33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF33C7
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: Citlaltpetl.exe PID: 6812, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Citlaltpetl.exe PID: 5404, type: MEMORYSTR
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeAPI/Special instruction interceptor: Address: C312EC
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeAPI/Special instruction interceptor: Address: 11C4244
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: Citlaltpetl.exe, 00000002.00000002.1085144635.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1200036913.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.0000000003054000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1203762555.0000000002F9D000.00000004.00000800.00020000.00000000.sdmp, Citlaltpetl.exe, 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3499965482.00000000029ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599887Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599638Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599530Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599379Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597892Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596889Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598516Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598186Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598073Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597729Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597619Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594520Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593547Jump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1581Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2116Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2292Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7538Jump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100214
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeAPI coverage: 4.8 %
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeAPI coverage: 5.0 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E34696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E34696
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E3C9C7
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3C93C FindFirstFileW,FindClose,0_2_00E3C93C
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E3F200
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E3F35D
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E3F65E
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E33A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E33A2B
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E33D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E33D4E
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E3BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E3BF27
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00614696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00614696
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061C93C FindFirstFileW,FindClose,2_2_0061C93C
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0061C9C7
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0061F200
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0061F35D
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0061F65E
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00613A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00613A2B
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00613D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00613D4E
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_0061BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0061BF27
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DD4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DD4AFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599887Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599638Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599530Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599379Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599003Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597892Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597218Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596999Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596889Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598641Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598516Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598186Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598073Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597843Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597729Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597619Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99862Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99711Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99585Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99449Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99269Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98313Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594520Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593547Jump to behavior
                  Source: RegSvcs.exe, 00000006.00000002.3499965482.00000000029ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: wscript.exe, 00000004.00000002.1174992727.0000023E2EFA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: RegSvcs.exe, 00000006.00000002.3499965482.00000000029ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: Citlaltpetl.exe, 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                  Source: wscript.exe, 00000004.00000002.1174992727.0000023E2EFA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: RegSvcs.exe, 00000003.00000002.1205480532.0000000006200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
                  Source: RegSvcs.exe, 00000006.00000002.3501974984.0000000005CC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeAPI call chain: ExitProcess graph end node

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_014F7EA8 CheckRemoteDebuggerPresent,3_2_014F7EA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E441FD BlockInput,0_2_00E441FD
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DD3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DD3B4C
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E05CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00E05CCC
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E4C304 LoadLibraryA,GetProcAddress,0_2_00E4C304
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_0183E448 mov eax, dword ptr fs:[00000030h]0_2_0183E448
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_0183FAC8 mov eax, dword ptr fs:[00000030h]0_2_0183FAC8
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_0183FA68 mov eax, dword ptr fs:[00000030h]0_2_0183FA68
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00C315B8 mov eax, dword ptr fs:[00000030h]2_2_00C315B8
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00C31558 mov eax, dword ptr fs:[00000030h]2_2_00C31558
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00C2FF38 mov eax, dword ptr fs:[00000030h]2_2_00C2FF38
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 5_2_011C4510 mov eax, dword ptr fs:[00000030h]5_2_011C4510
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 5_2_011C2E90 mov eax, dword ptr fs:[00000030h]5_2_011C2E90
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 5_2_011C44B0 mov eax, dword ptr fs:[00000030h]5_2_011C44B0
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E281F7
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DFA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DFA395
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DFA364 SetUnhandledExceptionFilter,0_2_00DFA364
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005DA364 SetUnhandledExceptionFilter,2_2_005DA364
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_005DA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_005DA395
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D45008Jump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9F7008Jump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E28C93 LogonUserW,0_2_00E28C93
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DD3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DD3B4C
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DD4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DD4A35
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E34EF5 mouse_event,0_2_00E34EF5
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\oCPGyn28rc.exe"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe "C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\pluff\Citlaltpetl.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E281F7
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E34C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E34C03
                  Source: oCPGyn28rc.exe, Citlaltpetl.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: oCPGyn28rc.exe, Citlaltpetl.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DF886B cpuid 0_2_00DF886B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E050D7
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E12230 GetUserNameW,0_2_00E12230
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E0418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00E0418A
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00DD4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DD4AFE
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Citlaltpetl.exe.ef0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Citlaltpetl.exe.ef0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Citlaltpetl.exe.2bf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1200036913.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1085144635.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3499965482.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3499965482.00000000029ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Citlaltpetl.exe PID: 6812, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Citlaltpetl.exe PID: 5404, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5224, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Citlaltpetl.exeBinary or memory string: WIN_81
                  Source: Citlaltpetl.exeBinary or memory string: WIN_XP
                  Source: Citlaltpetl.exeBinary or memory string: WIN_XPe
                  Source: Citlaltpetl.exeBinary or memory string: WIN_VISTA
                  Source: Citlaltpetl.exeBinary or memory string: WIN_7
                  Source: Citlaltpetl.exeBinary or memory string: WIN_8
                  Source: Citlaltpetl.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Citlaltpetl.exe.ef0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Citlaltpetl.exe.ef0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Citlaltpetl.exe.2bf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1200036913.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1085144635.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3499965482.00000000029ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Citlaltpetl.exe PID: 6812, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Citlaltpetl.exe PID: 5404, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5224, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Citlaltpetl.exe.ef0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Citlaltpetl.exe.ef0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Citlaltpetl.exe.2bf0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.Citlaltpetl.exe.2bf0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.1200036913.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.1199644573.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1085144635.0000000002BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3499965482.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000006.00000002.3499965482.00000000029ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Citlaltpetl.exe PID: 6812, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Citlaltpetl.exe PID: 5404, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5224, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E46596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00E46596
                  Source: C:\Users\user\Desktop\oCPGyn28rc.exeCode function: 0_2_00E46A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00E46A5A
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00626596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00626596
                  Source: C:\Users\user\AppData\Local\pluff\Citlaltpetl.exeCode function: 2_2_00626A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00626A5A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information111
                  Scripting                  		2
                  Valid Accounts                  		221
                  Windows Management Instrumentation                  		111
                  Scripting                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		12
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCron2
                  Registry Run Keys / Startup Folder                  		21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		1
                  Masquerading                  		LSA Secrets751
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		13
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                  Registry Run Keys / Startup Folder                  		2
                  Valid Accounts                  		Cached Domain Credentials231
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items231
                  Virtualization/Sandbox Evasion                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Access Token Manipulation                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631773 Sample: oCPGyn28rc.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 30 mail.daipro.com.mx 2->30 32 daipro.com.mx 2->32 34 2 other IPs or domains 2->34 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 9 other signatures 2->48 8 oCPGyn28rc.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\Citlaltpetl.exe, PE32 8->26 dropped 64 Binary is likely a compiled AutoIt script file 8->64 14 Citlaltpetl.exe 3 8->14         started        66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->66 18 Citlaltpetl.exe 2 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\Citlaltpetl.vbs, data 14->28 dropped 68 Antivirus detection for dropped file 14->68 70 Multi AV Scanner detection for dropped file 14->70 72 Binary is likely a compiled AutoIt script file 14->72 78 3 other signatures 14->78 20 RegSvcs.exe 15 2 14->20         started        74 Writes to foreign memory regions 18->74 76 Maps a DLL or memory area into another process 18->76 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 ip-api.com 208.95.112.1, 49700, 49707, 80 TUT-ASUS United States 20->36 38 api.ipify.org 104.26.13.205, 443, 49698, 49699 CLOUDFLARENETUS United States 20->38 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->54 40 daipro.com.mx 144.217.198.22, 49708, 587 OVHFR Canada 24->40 56 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->56 58 Tries to steal Mail credentials (via file / registry access) 24->58 60 Tries to harvest and steal ftp login credentials 24->60 62 Tries to harvest and steal browser information (history, passwords, etc) 24->62 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.