Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lvrHOgPXr5.exe

Overview

General Information

Sample name:lvrHOgPXr5.exe
renamed because original name is a hash value
Original sample name:ba420b987ad71963f3a5dd164b9f7fe8470fa6100fb91f041f09f8c6e185296d.exe
Analysis ID:1632367
MD5:0c7cda86f01f8e3c46b43f190aff661e
SHA1:6f65ca79cb898a7fa714aaccfbd49afce5aaddcc
SHA256:ba420b987ad71963f3a5dd164b9f7fe8470fa6100fb91f041f09f8c6e185296d
Tags:exeMassLoggeruser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lvrHOgPXr5.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\lvrHOgPXr5.exe" MD5: 0C7CDA86F01F8E3C46B43F190AFF661E)
    • RegSvcs.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\lvrHOgPXr5.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "securityz@grupomaya.mx", "Password": "    54460hetteXzeLJ  Z+l!UyU_nadu     \u2605\u0b9c\u0b9c", "Server": "mail.grupomaya.mx", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefb7:$a1: get_encryptedPassword
          • 0xf2df:$a2: get_encryptedUsername
          • 0xed52:$a3: get_timePasswordChanged
          • 0xee73:$a4: get_passwordField
          • 0xefcd:$a5: set_encryptedPassword
          • 0x10929:$a7: get_logins
          • 0x105da:$a8: GetOutlookPasswords
          • 0x103cc:$a9: StartKeylogger
          • 0x10879:$a10: KeyLoggerEventArgs
          • 0x10429:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.RegSvcs.exe.750000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            1.2.RegSvcs.exe.750000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.RegSvcs.exe.750000.0.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                1.2.RegSvcs.exe.750000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  1.2.RegSvcs.exe.750000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1b7:$a1: get_encryptedPassword
                  • 0xf4df:$a2: get_encryptedUsername
                  • 0xef52:$a3: get_timePasswordChanged
                  • 0xf073:$a4: get_passwordField
                  • 0xf1cd:$a5: set_encryptedPassword
                  • 0x10b29:$a7: get_logins
                  • 0x107da:$a8: GetOutlookPasswords
                  • 0x105cc:$a9: StartKeylogger
                  • 0x10a79:$a10: KeyLoggerEventArgs
                  • 0x10629:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 13 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 198.59.144.139, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6984, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49685

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-07T22:53:59.722878+010028032742Potentially Bad Traffic192.168.2.749681193.122.6.16880TCP
                  2025-03-07T22:54:16.425098+010028032742Potentially Bad Traffic192.168.2.749684193.122.6.16880TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: lvrHOgPXr5.exeAvira: detected
                  Found malware configuration
                  Source: 1.2.RegSvcs.exe.750000.0.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "securityz@grupomaya.mx", "Password": " 54460hetteXzeLJ Z+l!UyU_nadu \u2605\u0b9c\u0b9c", "Server": "mail.grupomaya.mx", "Port": 587}
                  Multi AV Scanner detection for submitted file
                  Source: lvrHOgPXr5.exeVirustotal: Detection: 56%Perma Link
                  Source: lvrHOgPXr5.exeReversingLabs: Detection: 57%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: lvrHOgPXr5.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.7:49683 version: TLS 1.0
                  Source: Binary string: wntdll.pdbUGP source: lvrHOgPXr5.exe, 00000000.00000003.875826040.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, lvrHOgPXr5.exe, 00000000.00000003.878000920.0000000003C90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: lvrHOgPXr5.exe, 00000000.00000003.875826040.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, lvrHOgPXr5.exe, 00000000.00000003.878000920.0000000003C90000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D94696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D94696
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00D9C9C7
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9C93C FindFirstFileW,FindClose,0_2_00D9C93C
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D9F200
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D9F35D
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D9F65E
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D93A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D93A2B
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D93D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D93D4E
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D9BF27
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 025D9CB9h1_2_025D9A08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 025DA3E2h1_2_025D9FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 025DA3E2h1_2_025DA30F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 025DA3E2h1_2_025D9FB8
                  Source: global trafficTCP traffic: 192.168.2.7:49685 -> 198.59.144.139:587
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                  Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                  Source: Joe Sandbox ViewIP Address: 198.59.144.139 198.59.144.139
                  Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49684 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49681 -> 193.122.6.168:80
                  Source: global trafficTCP traffic: 192.168.2.7:49685 -> 198.59.144.139:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.7:49683 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DA25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00DA25E2
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: mail.grupomaya.mx
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002681000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002681000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.000000000266E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.0000000002681000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002681000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: lvrHOgPXr5.exe, 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002681000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://grupomaya.mx
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://grupomaya.mxd
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.grupomaya.mx
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.grupomaya.mxd
                  Source: RegSvcs.exe, 00000001.00000002.3339571458.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3334927431.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0
                  Source: RegSvcs.exe, 00000001.00000002.3339571458.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3334927431.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.000000000269C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.000000000269C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002601000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: RegSvcs.exe, 00000001.00000002.3339571458.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3334927431.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: RegSvcs.exe, 00000001.00000002.3339571458.0000000005E8A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3334927431.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: lvrHOgPXr5.exe, 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002681000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.000000000269C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: lvrHOgPXr5.exe, 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.0000000002681000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002681000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DA425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DA425A
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DA4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00DA4458
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DA425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DA425A
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D90219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00D90219
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DBCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00DBCDAC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: Process Memory Space: lvrHOgPXr5.exe PID: 6896, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: This is a third-party compiled AutoIt script.0_2_00D33B4C
                  Source: lvrHOgPXr5.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: lvrHOgPXr5.exe, 00000000.00000000.862135785.0000000000DE5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9cdc2300-4
                  Source: lvrHOgPXr5.exe, 00000000.00000000.862135785.0000000000DE5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_9e3e74e5-4
                  Source: lvrHOgPXr5.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5281cf2e-7
                  Source: lvrHOgPXr5.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_fc88279a-e
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D940B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00D940B1
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D88858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00D88858
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00D9545F
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D3E8000_2_00D3E800
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D5DBB50_2_00D5DBB5
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D3FE400_2_00D3FE40
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DB804A0_2_00DB804A
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D3E0600_2_00D3E060
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D441400_2_00D44140
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D524050_2_00D52405
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D665220_2_00D66522
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D6267E0_2_00D6267E
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DB06650_2_00DB0665
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D468430_2_00D46843
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D5283A0_2_00D5283A
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D689DF0_2_00D689DF
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DB0AE20_2_00DB0AE2
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D66A940_2_00D66A94
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D48A0E0_2_00D48A0E
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D98B130_2_00D98B13
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D8EB070_2_00D8EB07
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D5CD610_2_00D5CD61
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D670060_2_00D67006
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D431900_2_00D43190
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D4710E0_2_00D4710E
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D312870_2_00D31287
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D533C70_2_00D533C7
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D5F4190_2_00D5F419
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D516C40_2_00D516C4
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D456800_2_00D45680
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D578D30_2_00D578D3
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D458C00_2_00D458C0
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D51BB80_2_00D51BB8
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D69D050_2_00D69D05
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D51FD00_2_00D51FD0
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D5BFE60_2_00D5BFE6
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00CC36200_2_00CC3620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025DC6C81_2_025DC6C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D2DE01_2_025D2DE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D9A081_2_025D9A08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D19B81_2_025D19B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025DC6B91_2_025DC6B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D99F71_2_025D99F7
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: String function: 00D50D27 appears 70 times
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: String function: 00D58B40 appears 42 times
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: String function: 00D37F41 appears 35 times
                  Source: lvrHOgPXr5.exe, 00000000.00000003.878000920.0000000003DBD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs lvrHOgPXr5.exe
                  Source: lvrHOgPXr5.exe, 00000000.00000003.879114613.0000000003C13000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs lvrHOgPXr5.exe
                  Source: lvrHOgPXr5.exe, 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs lvrHOgPXr5.exe
                  Source: lvrHOgPXr5.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: lvrHOgPXr5.exe PID: 6896, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@3/3
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9A2D5 GetLastError,FormatMessageW,0_2_00D9A2D5
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D88713 AdjustTokenPrivileges,CloseHandle,0_2_00D88713
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D88CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00D88CC3
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00D9B59E
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DAF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00DAF121
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DA86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00DA86D0
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D34FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00D34FE9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeFile created: C:\Users\user~1\AppData\Local\Temp\autF17.tmpJump to behavior
                  Source: lvrHOgPXr5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000001.00000002.3335801474.0000000002717000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3336919363.000000000362D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.00000000026E5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.00000000026F4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.0000000002703000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3335801474.0000000002724000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: lvrHOgPXr5.exeVirustotal: Detection: 56%
                  Source: lvrHOgPXr5.exeReversingLabs: Detection: 57%
                  Source: unknownProcess created: C:\Users\user\Desktop\lvrHOgPXr5.exe "C:\Users\user\Desktop\lvrHOgPXr5.exe"
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\lvrHOgPXr5.exe"
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\lvrHOgPXr5.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: lvrHOgPXr5.exeStatic file information: File size 80740352 > 1048576
                  Source: lvrHOgPXr5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: lvrHOgPXr5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: lvrHOgPXr5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: lvrHOgPXr5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: lvrHOgPXr5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: lvrHOgPXr5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: lvrHOgPXr5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: lvrHOgPXr5.exe, 00000000.00000003.875826040.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, lvrHOgPXr5.exe, 00000000.00000003.878000920.0000000003C90000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: lvrHOgPXr5.exe, 00000000.00000003.875826040.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, lvrHOgPXr5.exe, 00000000.00000003.878000920.0000000003C90000.00000004.00001000.00020000.00000000.sdmp
                  Source: lvrHOgPXr5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: lvrHOgPXr5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: lvrHOgPXr5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: lvrHOgPXr5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: lvrHOgPXr5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DAC304 LoadLibraryA,GetProcAddress,0_2_00DAC304
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D58B85 push ecx; ret 0_2_00D58B98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D07C8 push ebx; iretd 1_2_025D07D2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D082D push ebp; iretd 1_2_025D0832
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025DAEB5 push edi; retf 1_2_025DAF13
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025DAEA5 push edi; retf 1_2_025DAF0B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025DAF35 push esi; retf 1_2_025DAF43
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025DAF2F push esi; retf 1_2_025DAF33
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D9331 push ebp; iretd 1_2_025D933E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D93CC push ebp; iretd 1_2_025D938E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D97BF push esi; iretd 1_2_025D97DE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_025D17B8 push ebx; iretd 1_2_025D17D6
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D34A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00D34A35
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DB55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00DB55FD
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D533C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D533C7
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeAPI/Special instruction interceptor: Address: CC3244
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599763Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599434Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599315Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599200Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599090Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598825Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598606Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597405Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597180Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596405Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596273Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596166Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596057Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595947Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595811Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595668Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7757Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2097Jump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100397
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeAPI coverage: 5.1 %
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D94696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D94696
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00D9C9C7
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9C93C FindFirstFileW,FindClose,0_2_00D9C93C
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D9F200
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00D9F35D
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D9F65E
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D93A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D93A2B
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D93D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D93D4E
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D9BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00D9BF27
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D34AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D34AFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599763Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599434Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599315Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599200Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599090Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598825Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598606Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597952Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597624Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597405Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597296Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597180Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597062Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596844Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596734Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596515Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596405Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596273Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596166Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596057Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595947Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595811Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595668Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594469Jump to behavior
                  Source: RegSvcs.exe, 00000001.00000002.3334927431.0000000000A66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeAPI call chain: ExitProcess graph end nodegraph_0-99022
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DA41FD BlockInput,0_2_00DA41FD
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D33B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D33B4C
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D65CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00D65CCC
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DAC304 LoadLibraryA,GetProcAddress,0_2_00DAC304
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00CC34B0 mov eax, dword ptr fs:[00000030h]0_2_00CC34B0
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00CC3510 mov eax, dword ptr fs:[00000030h]0_2_00CC3510
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00CC1E70 mov eax, dword ptr fs:[00000030h]0_2_00CC1E70
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D881F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00D881F7
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D5A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D5A395
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D5A364 SetUnhandledExceptionFilter,0_2_00D5A364
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 57F008Jump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D88C93 LogonUserW,0_2_00D88C93
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D33B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D33B4C
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D34A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00D34A35
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D94EC9 mouse_event,0_2_00D94EC9
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\lvrHOgPXr5.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D881F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00D881F7
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D94C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00D94C03
                  Source: lvrHOgPXr5.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: lvrHOgPXr5.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D5886B cpuid 0_2_00D5886B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D650D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00D650D7
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D72230 GetUserNameW,0_2_00D72230
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D6418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00D6418A
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00D34AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D34AFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lvrHOgPXr5.exe PID: 6896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lvrHOgPXr5.exe PID: 6896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lvrHOgPXr5.exe PID: 6896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: lvrHOgPXr5.exeBinary or memory string: WIN_81
                  Source: lvrHOgPXr5.exeBinary or memory string: WIN_XP
                  Source: lvrHOgPXr5.exeBinary or memory string: WIN_XPe
                  Source: lvrHOgPXr5.exeBinary or memory string: WIN_VISTA
                  Source: lvrHOgPXr5.exeBinary or memory string: WIN_7
                  Source: lvrHOgPXr5.exeBinary or memory string: WIN_8
                  Source: lvrHOgPXr5.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lvrHOgPXr5.exe PID: 6896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lvrHOgPXr5.exe PID: 6896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lvrHOgPXr5.exe PID: 6896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 1.2.RegSvcs.exe.750000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.lvrHOgPXr5.exe.cd0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.3334426248.0000000000752000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.888424588.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.3335801474.000000000272A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: lvrHOgPXr5.exe PID: 6896, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6984, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DA6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00DA6596
                  Source: C:\Users\user\Desktop\lvrHOgPXr5.exeCode function: 0_2_00DA6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00DA6A5A

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		12
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets131
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials11
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.