Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TfRJR0Y3uW.exe

Overview

General Information

Sample name:TfRJR0Y3uW.exe
renamed because original name is a hash value
Original sample name:0493ed59e3ab45bf3767e3cdcdddd29b71233c60fa00d3e83116f7af3041a9e3.exe
Analysis ID:1632223
MD5:dc1af167e23a106450bbaedf3a2f2a18
SHA1:f514f2ceef6ccbd697d3783ec35de39d0f82fdb0
SHA256:0493ed59e3ab45bf3767e3cdcdddd29b71233c60fa00d3e83116f7af3041a9e3
Tags:exeMassLoggeruser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TfRJR0Y3uW.exe (PID: 3828 cmdline: "C:\Users\user\Desktop\TfRJR0Y3uW.exe" MD5: DC1AF167E23A106450BBAEDF3A2F2A18)
    • RegSvcs.exe (PID: 6176 cmdline: "C:\Users\user\Desktop\TfRJR0Y3uW.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "securityz@grupomaya.mx", "Password": "    54460hetteXzeLJ  Z+l!UyU_nadu     \u2605\u0b9c\u0b9c", "Server": "mail.grupomaya.mx", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xf1b7:$a1: get_encryptedPassword
          • 0xf4df:$a2: get_encryptedUsername
          • 0xef52:$a3: get_timePasswordChanged
          • 0xf073:$a4: get_passwordField
          • 0xf1cd:$a5: set_encryptedPassword
          • 0x10b29:$a7: get_logins
          • 0x107da:$a8: GetOutlookPasswords
          • 0x105cc:$a9: StartKeylogger
          • 0x10a79:$a10: KeyLoggerEventArgs
          • 0x10629:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.TfRJR0Y3uW.exe.3a20000.1.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.TfRJR0Y3uW.exe.3a20000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.TfRJR0Y3uW.exe.3a20000.1.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                0.2.TfRJR0Y3uW.exe.3a20000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.TfRJR0Y3uW.exe.3a20000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xd3b7:$a1: get_encryptedPassword
                  • 0xd6df:$a2: get_encryptedUsername
                  • 0xd152:$a3: get_timePasswordChanged
                  • 0xd273:$a4: get_passwordField
                  • 0xd3cd:$a5: set_encryptedPassword
                  • 0xed29:$a7: get_logins
                  • 0xe9da:$a8: GetOutlookPasswords
                  • 0xe7cc:$a9: StartKeylogger
                  • 0xec79:$a10: KeyLoggerEventArgs
                  • 0xe829:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 198.59.144.139, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6176, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49685

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T21:08:18.718235+010028032742Potentially Bad Traffic192.168.2.949683132.226.8.16980TCP
                  2025-03-07T21:08:26.343181+010028032742Potentially Bad Traffic192.168.2.949683132.226.8.16980TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: TfRJR0Y3uW.exeAvira: detected
                  Found malware configuration
                  Source: 1.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "securityz@grupomaya.mx", "Password": " 54460hetteXzeLJ Z+l!UyU_nadu \u2605\u0b9c\u0b9c", "Server": "mail.grupomaya.mx", "Port": 587}
                  Multi AV Scanner detection for submitted file
                  Source: TfRJR0Y3uW.exeVirustotal: Detection: 57%Perma Link
                  Source: TfRJR0Y3uW.exeReversingLabs: Detection: 52%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: TfRJR0Y3uW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.9:49684 version: TLS 1.0
                  Source: Binary string: wntdll.pdbUGP source: TfRJR0Y3uW.exe, 00000000.00000003.1027944675.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, TfRJR0Y3uW.exe, 00000000.00000003.1027138845.0000000003C00000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: TfRJR0Y3uW.exe, 00000000.00000003.1027944675.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, TfRJR0Y3uW.exe, 00000000.00000003.1027138845.0000000003C00000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F0445A
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0C6D1 FindFirstFileW,FindClose,0_2_00F0C6D1
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F0C75C
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F0F3F3
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F037EF
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F03B12
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 01019731h1_2_01019480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 01019E5Ah1_2_01019A30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 01019E5Ah1_2_01019D87
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F5E15h1_2_050F5AD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F47C9h1_2_050F4520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F8830h1_2_050F8588
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F76D0h1_2_050F7428
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050FF700h1_2_050FF458
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050FE9F8h1_2_050FE750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F5929h1_2_050F5680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F83D8h1_2_050F8130
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050FE5A0h1_2_050FE180
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050FF2A8h1_2_050FF000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F54D1h1_2_050F5228
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F5079h1_2_050F4DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F7F80h1_2_050F7CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F7278h1_2_050F6FD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F4C21h1_2_050F4978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050F7B28h1_2_050F7880
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050FFB58h1_2_050FF8B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 050FEE50h1_2_050FEBA8
                  Source: global trafficTCP traffic: 192.168.2.9:49685 -> 198.59.144.139:587
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                  Source: Joe Sandbox ViewASN Name: HYPEENT-SJUS HYPEENT-SJUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49683 -> 132.226.8.169:80
                  Source: global trafficTCP traffic: 192.168.2.9:49685 -> 198.59.144.139:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.9:49684 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F122EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00F122EE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: mail.grupomaya.mx
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002B9E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: TfRJR0Y3uW.exe, 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://grupomaya.mx
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://grupomaya.mxd
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.grupomaya.mx
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.grupomaya.mxd
                  Source: RegSvcs.exe, 00000001.00000002.2257316854.0000000006075000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2257316854.0000000006088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0
                  Source: RegSvcs.exe, 00000001.00000002.2257316854.0000000006075000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2257316854.0000000006088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002BCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002BCD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000001.00000002.2257316854.0000000006075000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2257316854.0000000006088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: RegSvcs.exe, 00000001.00000002.2257316854.0000000006075000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2257316854.0000000006088000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: TfRJR0Y3uW.exe, 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: TfRJR0Y3uW.exe, 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00F0001C
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F2CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F2CABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: TfRJR0Y3uW.exe PID: 3828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: This is a third-party compiled AutoIt script.0_2_00EA3B3A
                  Source: TfRJR0Y3uW.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: TfRJR0Y3uW.exe, 00000000.00000000.1012211408.0000000000F54000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ce84788f-8
                  Source: TfRJR0Y3uW.exe, 00000000.00000000.1012211408.0000000000F54000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b93fc249-7
                  Source: TfRJR0Y3uW.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0a4d1eab-8
                  Source: TfRJR0Y3uW.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7338ec96-e
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F03DE2: CreateFileW,DeviceIoControl,CloseHandle,0_2_00F03DE2
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EF8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00EF8310
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F051BD
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EAE6A00_2_00EAE6A0
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ECD9750_2_00ECD975
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC21C50_2_00EC21C5
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ED62D20_2_00ED62D2
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ED242E0_2_00ED242E
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC25FA0_2_00EC25FA
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EB66E10_2_00EB66E1
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EFE6160_2_00EFE616
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ED878F0_2_00ED878F
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F088890_2_00F08889
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F208570_2_00F20857
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ED68440_2_00ED6844
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EB88080_2_00EB8808
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ECCB210_2_00ECCB21
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ED6DB60_2_00ED6DB6
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EB6F9E0_2_00EB6F9E
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EB30300_2_00EB3030
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ECF1D90_2_00ECF1D9
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC31870_2_00EC3187
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EA12870_2_00EA1287
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC14840_2_00EC1484
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EB55200_2_00EB5520
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC76960_2_00EC7696
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EB57600_2_00EB5760
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC19780_2_00EC1978
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ED9AB50_2_00ED9AB5
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EAFCE00_2_00EAFCE0
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F27DDB0_2_00F27DDB
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ECBDA60_2_00ECBDA6
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC1D900_2_00EC1D90
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EB3FE00_2_00EB3FE0
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EADF000_2_00EADF00
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_03A135F00_2_03A135F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0101C5301_2_0101C530
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_010127B91_2_010127B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01012DD11_2_01012DD1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_010194801_2_01019480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0101C5211_2_0101C521
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0101946F1_2_0101946F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F61381_2_050F6138
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F13571_2_050F1357
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FBC601_2_050FBC60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FAF001_2_050FAF00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F89E01_2_050F89E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F0AB81_2_050F0AB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F5AD81_2_050F5AD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F450F1_2_050F450F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F45201_2_050F4520
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F85791_2_050F8579
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F85881_2_050F8588
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F74181_2_050F7418
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F74281_2_050F7428
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FF4481_2_050FF448
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FF4581_2_050FF458
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FE7401_2_050FE740
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FE7501_2_050FE750
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F566F1_2_050F566F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F56801_2_050F5680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F81201_2_050F8120
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F81301_2_050F8130
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FE1801_2_050FE180
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FF0001_2_050FF000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F03201_2_050F0320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F03301_2_050F0330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F521A1_2_050F521A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F52281_2_050F5228
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F4DC01_2_050F4DC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F4DD01_2_050F4DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F7CC81_2_050F7CC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F0CD81_2_050F0CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F7CD81_2_050F7CD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F6FC31_2_050F6FC3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F6FC11_2_050F6FC1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F6FD01_2_050F6FD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FEFF01_2_050FEFF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F49691_2_050F4969
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F49781_2_050F4978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F89D01_2_050F89D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F78711_2_050F7871
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F78801_2_050F7880
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FF8A11_2_050FF8A1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FF8B01_2_050FF8B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FEB981_2_050FEB98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050FEBA81_2_050FEBA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F5ACA1_2_050F5ACA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_068A26301_2_068A2630
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_068A4D781_2_068A4D78
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: String function: 00EC0AE3 appears 70 times
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: String function: 00EA7DE1 appears 35 times
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: String function: 00EC8900 appears 36 times
                  Source: TfRJR0Y3uW.exe, 00000000.00000003.1025427039.0000000003B63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TfRJR0Y3uW.exe
                  Source: TfRJR0Y3uW.exe, 00000000.00000003.1026256845.0000000003D0D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TfRJR0Y3uW.exe
                  Source: TfRJR0Y3uW.exe, 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs TfRJR0Y3uW.exe
                  Source: TfRJR0Y3uW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: TfRJR0Y3uW.exe PID: 3828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@3/3
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0A06A GetLastError,FormatMessageW,0_2_00F0A06A
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EF81CB AdjustTokenPrivileges,CloseHandle,0_2_00EF81CB
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EF87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00EF87E1
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F0B3FB
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F1EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00F1EE0D
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F183BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00F183BB
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EA4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00EA4E89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeFile created: C:\Users\user\AppData\Local\Temp\aut31A7.tmpJump to behavior
                  Source: TfRJR0Y3uW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000001.00000002.2255921254.0000000002C10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2256658702.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2255921254.0000000002C2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: TfRJR0Y3uW.exeVirustotal: Detection: 57%
                  Source: TfRJR0Y3uW.exeReversingLabs: Detection: 52%
                  Source: unknownProcess created: C:\Users\user\Desktop\TfRJR0Y3uW.exe "C:\Users\user\Desktop\TfRJR0Y3uW.exe"
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\TfRJR0Y3uW.exe"
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\TfRJR0Y3uW.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: TfRJR0Y3uW.exeStatic file information: File size 80740352 > 1048576
                  Source: TfRJR0Y3uW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: TfRJR0Y3uW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: TfRJR0Y3uW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: TfRJR0Y3uW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: TfRJR0Y3uW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: TfRJR0Y3uW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: TfRJR0Y3uW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: TfRJR0Y3uW.exe, 00000000.00000003.1027944675.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, TfRJR0Y3uW.exe, 00000000.00000003.1027138845.0000000003C00000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: TfRJR0Y3uW.exe, 00000000.00000003.1027944675.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, TfRJR0Y3uW.exe, 00000000.00000003.1027138845.0000000003C00000.00000004.00001000.00020000.00000000.sdmp
                  Source: TfRJR0Y3uW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: TfRJR0Y3uW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: TfRJR0Y3uW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: TfRJR0Y3uW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: TfRJR0Y3uW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EA4B37 LoadLibraryA,GetProcAddress,0_2_00EA4B37
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0848F push FFFFFF8Bh; iretd 0_2_00F08491
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC8945 push ecx; ret 0_2_00EC8958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_068A8EAC push es; retf 1_2_068A8EB4
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F25376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00F25376
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EC3187
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeAPI/Special instruction interceptor: Address: 3A13214
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1199Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4279Jump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102771
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeAPI coverage: 5.1 %
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F0445A
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0C6D1 FindFirstFileW,FindClose,0_2_00F0C6D1
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F0C75C
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F0F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F0F3F3
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F037EF
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F03B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F03B12
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EA49A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99422Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99312Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99203Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99082Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98842Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98581Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98147Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98029Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: RegSvcs.exe, 00000001.00000002.2255204010.0000000000E46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeAPI call chain: ExitProcess graph end nodegraph_0-102007
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_050F0AB8 LdrInitializeThunk,LdrInitializeThunk,1_2_050F0AB8
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F13F09 BlockInput,0_2_00F13F09
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EA3B3A
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ED5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00ED5A7C
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EA4B37 LoadLibraryA,GetProcAddress,0_2_00EA4B37
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_03A13480 mov eax, dword ptr fs:[00000030h]0_2_03A13480
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_03A134E0 mov eax, dword ptr fs:[00000030h]0_2_03A134E0
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_03A11E70 mov eax, dword ptr fs:[00000030h]0_2_03A11E70
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EF80C9 GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00EF80C9
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ECA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00ECA155
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ECA124 SetUnhandledExceptionFilter,0_2_00ECA124
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AF3008Jump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EF87B1 LogonUserW,0_2_00EF87B1
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EA3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00EA3B3A
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F012C7 SendInput,keybd_event,0_2_00F012C7
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F04C7F mouse_event,0_2_00F04C7F
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\TfRJR0Y3uW.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EF7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00EF7CAF
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EF874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00EF874B
                  Source: TfRJR0Y3uW.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: TfRJR0Y3uW.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EC862B cpuid 0_2_00EC862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00ED4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00ED4E87
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EE1E06 GetUserNameW,0_2_00EE1E06
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00EA49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00EA49A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TfRJR0Y3uW.exe PID: 3828, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TfRJR0Y3uW.exe PID: 3828, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TfRJR0Y3uW.exe PID: 3828, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: TfRJR0Y3uW.exeBinary or memory string: WIN_81
                  Source: TfRJR0Y3uW.exeBinary or memory string: WIN_XP
                  Source: TfRJR0Y3uW.exeBinary or memory string: WIN_XPe
                  Source: TfRJR0Y3uW.exeBinary or memory string: WIN_VISTA
                  Source: TfRJR0Y3uW.exeBinary or memory string: WIN_7
                  Source: TfRJR0Y3uW.exeBinary or memory string: WIN_8
                  Source: TfRJR0Y3uW.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TfRJR0Y3uW.exe PID: 3828, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TfRJR0Y3uW.exe PID: 3828, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TfRJR0Y3uW.exe PID: 3828, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.TfRJR0Y3uW.exe.3a20000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1038424963.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2254311224.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.2255921254.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: TfRJR0Y3uW.exe PID: 3828, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6176, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\TfRJR0Y3uW.exeCode function: 0_2_00F16747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00F16747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		12
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets131
                  Security Software Discovery                  		SSHKeylogging23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials11
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.