Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Wi8JY2Ta81.exe

Overview

General Information

Sample name:Wi8JY2Ta81.exe
renamed because original name is a hash value
Original sample name:16e214b586a7b6a2fef2b600ceb2610d840640965599572e3f110afad33df2bd.exe
Analysis ID:1633550
MD5:48e6c9bc29e0472af59d39db11077939
SHA1:64829166a48b86df8e8a5f1c52975990691e0771
SHA256:16e214b586a7b6a2fef2b600ceb2610d840640965599572e3f110afad33df2bd
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Wi8JY2Ta81.exe (PID: 6012 cmdline: "C:\Users\user\Desktop\Wi8JY2Ta81.exe" MD5: 48E6C9BC29E0472AF59D39DB11077939)
    • vehiculate.exe (PID: 7048 cmdline: "C:\Users\user\Desktop\Wi8JY2Ta81.exe" MD5: 48E6C9BC29E0472AF59D39DB11077939)
      • RegSvcs.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\Wi8JY2Ta81.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 7216 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • vehiculate.exe (PID: 7272 cmdline: "C:\Users\user\AppData\Local\incalculability\vehiculate.exe" MD5: 48E6C9BC29E0472AF59D39DB11077939)
      • RegSvcs.exe (PID: 7292 cmdline: "C:\Users\user\AppData\Local\incalculability\vehiculate.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.ru", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
        • 0x3f241:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
        • 0x3f2b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
        • 0x3f33d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
        • 0x3f3cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        • 0x3f439:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
        • 0x3f4ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
        • 0x3f541:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
        • 0x3f5d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
        0000000B.00000002.3687027989.0000000003204000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 4F 88 44 24 2B 88 44 24 2F B0 86 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          2.2.RegSvcs.exe.267fd8e.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.RegSvcs.exe.267fd8e.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.RegSvcs.exe.267fd8e.1.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                2.2.RegSvcs.exe.267fd8e.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3f241:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3f2b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3f33d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3f3cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3f439:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3f4ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3f541:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3f5d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                Click to see the 63 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs" , ProcessId: 7216, ProcessName: wscript.exe
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7100, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49688
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs" , ProcessId: 7216, ProcessName: wscript.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\incalculability\vehiculate.exe, ProcessId: 7048, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Wi8JY2Ta81.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeAvira: detection malicious, Label: TR/AD.ShellcodeCrypter.owcbz
                Found malware configuration
                Source: 2.2.RegSvcs.exe.39d6458.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.ru", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeReversingLabs: Detection: 76%
                Multi AV Scanner detection for submitted file
                Source: Wi8JY2Ta81.exeVirustotal: Detection: 64%Perma Link
                Source: Wi8JY2Ta81.exeReversingLabs: Detection: 76%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Wi8JY2Ta81.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49686 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49689 version: TLS 1.2
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.1388122756.000000000263E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1390461654.00000000039D1000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: vehiculate.exe, 00000001.00000003.1239290767.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 00000001.00000003.1242644304.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 0000000A.00000003.1379334446.0000000004110000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 0000000A.00000003.1379172483.0000000003F70000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: vehiculate.exe, 00000001.00000003.1239290767.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 00000001.00000003.1242644304.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 0000000A.00000003.1379334446.0000000004110000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 0000000A.00000003.1379172483.0000000003F70000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0059445A
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059C6D1 FindFirstFileW,FindClose,0_2_0059C6D1
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0059C75C
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0059EF95
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0059F0F2
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0059F3F3
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005937EF
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00593B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00593B12
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0059BCBC
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003C445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_003C445A
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CC6D1 FindFirstFileW,FindClose,1_2_003CC6D1
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_003CC75C
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_003CEF95
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_003CF0F2
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_003CF3F3
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_003C37EF
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_003C3B12
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_003CBCBC
                Source: global trafficTCP traffic: 192.168.2.7:49688 -> 77.88.21.158:587
                Source: global trafficTCP traffic: 192.168.2.7:63745 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: api.ipify.org
                Source: unknownDNS query: name: api.ipify.org
                Source: global trafficTCP traffic: 192.168.2.7:49688 -> 77.88.21.158:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005A22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_005A22EE
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                Source: global trafficDNS traffic detected: DNS query: smtp.yandex.ru
                Source: RegSvcs.exe, 0000000B.00000002.3698327112.00000000071E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.gl
                Source: RegSvcs.exe, 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1387048610.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000338D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3684345073.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698203872.00000000071C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000362A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
                Source: RegSvcs.exe, 00000002.00000002.1391441598.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1387048610.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000338D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3684345073.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698327112.00000000072F6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698203872.00000000071C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698327112.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000362A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: RegSvcs.exe, 00000002.00000002.1391441598.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1387048610.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000338D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698203872.00000000071C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698327112.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000362A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
                Source: RegSvcs.exe, 00000002.00000002.1391441598.00000000050B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.glo
                Source: RegSvcs.exe, 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1387048610.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000338D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3684345073.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698203872.00000000071C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000362A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
                Source: RegSvcs.exe, 00000002.00000002.1391441598.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1387048610.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000338D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698203872.00000000071C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698327112.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000362A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
                Source: RegSvcs.exe, 0000000B.00000002.3698327112.00000000072F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr1E
                Source: RegSvcs.exe, 00000002.00000002.1391441598.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1387048610.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000338D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3684345073.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698327112.00000000072F6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698203872.00000000071C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698327112.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000362A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                Source: RegSvcs.exe, 00000002.00000002.1388940920.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000031C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RegSvcs.exe, 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1387048610.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000338D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3684345073.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698203872.00000000071C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000362A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
                Source: RegSvcs.exe, 00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1388122756.000000000263E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1390461654.00000000039D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                Source: RegSvcs.exe, 00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1388122756.000000000263E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1390461654.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1388940920.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000031C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: RegSvcs.exe, 00000002.00000002.1388940920.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000031C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: RegSvcs.exe, 00000002.00000002.1388940920.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000031C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                Source: RegSvcs.exe, 00000002.00000002.1391441598.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1387048610.0000000000ABD000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000338D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003589000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003322000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3684345073.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698327112.00000000072F6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698203872.00000000071C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000032C3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3695278683.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3698327112.00000000071E4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.000000000362A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
                Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49686 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.7:49689 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, 7KG.cs.Net Code: _2s8
                Installs a global keyboard hook
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_005A4164
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005A4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_005A4164
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_003D4164
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005A3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_005A3F66
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0059001C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005BCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_005BCABC
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003ECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_003ECABC

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 2.2.RegSvcs.exe.267fd8e.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.39d6458.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.4eb0ee8.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.267fd8e.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.267eea6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.39d5570.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.39d5570.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 10.2.vehiculate.exe.3f20000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 2.2.RegSvcs.exe.3a22d90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.4eb0000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.3a22d90.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.4eb0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 1.2.vehiculate.exe.1f80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 2.2.RegSvcs.exe.4eb0ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.267eea6.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.5180000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0000000A.00000002.1382722442.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000001.00000002.1244596938.0000000001F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000002.00000002.1385874503.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: This is a third-party compiled AutoIt script.0_2_00533B3A
                Source: Wi8JY2Ta81.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Wi8JY2Ta81.exe, 00000000.00000002.1222446482.00000000005E4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9558f54f-4
                Source: Wi8JY2Ta81.exe, 00000000.00000002.1222446482.00000000005E4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_af16c4e6-b
                Source: Wi8JY2Ta81.exe, 00000000.00000003.1221043775.0000000003AB3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_92c7f992-e
                Source: Wi8JY2Ta81.exe, 00000000.00000003.1221043775.0000000003AB3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_20aa2195-8
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: This is a third-party compiled AutoIt script.1_2_00363B3A
                Source: vehiculate.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: vehiculate.exe, 00000001.00000002.1243690262.0000000000414000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_729266dc-0
                Source: vehiculate.exe, 00000001.00000002.1243690262.0000000000414000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_cbf4498f-1
                Source: vehiculate.exe, 0000000A.00000002.1381970110.0000000000414000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1d5bbd3e-d
                Source: vehiculate.exe, 0000000A.00000002.1381970110.0000000000414000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_37b1a011-4
                Source: Wi8JY2Ta81.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9fa01537-c
                Source: Wi8JY2Ta81.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_bd383fb3-2
                Source: vehiculate.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_34811a9a-e
                Source: vehiculate.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7d7dc3a3-2
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0059A1EF
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00588310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00588310
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005951BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005951BD
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_003C51BD
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0055D9750_2_0055D975
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005521C50_2_005521C5
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005662D20_2_005662D2
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005B03DA0_2_005B03DA
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0056242E0_2_0056242E
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005525FA0_2_005525FA
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0058E6160_2_0058E616
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005466E10_2_005466E1
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0053E6A00_2_0053E6A0
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0056878F0_2_0056878F
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005B08570_2_005B0857
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005668440_2_00566844
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005488080_2_00548808
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005988890_2_00598889
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0055CB210_2_0055CB21
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00566DB60_2_00566DB6
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00546F9E0_2_00546F9E
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005430300_2_00543030
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0055F1D90_2_0055F1D9
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005531870_2_00553187
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005312870_2_00531287
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005514840_2_00551484
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005455200_2_00545520
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005576960_2_00557696
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005457600_2_00545760
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005519780_2_00551978
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00569AB50_2_00569AB5
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0053FCE00_2_0053FCE0
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005B7DDB0_2_005B7DDB
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00551D900_2_00551D90
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0055BDA60_2_0055BDA6
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0053DF000_2_0053DF00
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00543FE00_2_00543FE0
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_014D36C00_2_014D36C0
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0038D9751_2_0038D975
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003821C51_2_003821C5
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003962D21_2_003962D2
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003E03DA1_2_003E03DA
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0039242E1_2_0039242E
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003825FA1_2_003825FA
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003BE6161_2_003BE616
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0036E6A01_2_0036E6A0
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003766E11_2_003766E1
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0039878F1_2_0039878F
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003788081_2_00378808
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003E08571_2_003E0857
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003968441_2_00396844
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003C88891_2_003C8889
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0038CB211_2_0038CB21
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_00396DB61_2_00396DB6
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_00376F9E1_2_00376F9E
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003730301_2_00373030
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003831871_2_00383187
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0038F1D91_2_0038F1D9
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003612871_2_00361287
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003814841_2_00381484
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003755201_2_00375520
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003876961_2_00387696
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003757601_2_00375760
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003819781_2_00381978
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_00399AB51_2_00399AB5
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0036FCE01_2_0036FCE0
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0038BDA61_2_0038BDA6
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_00381D901_2_00381D90
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003E7DDB1_2_003E7DDB
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0036DF001_2_0036DF00
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_00373FE01_2_00373FE0
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_01F736C01_2_01F736C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00408C602_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040DC112_2_0040DC11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00407C3F2_2_00407C3F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00418CCC2_2_00418CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00406CA02_2_00406CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004028B02_2_004028B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041A4BE2_2_0041A4BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004182442_2_00418244
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004016502_2_00401650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402F202_2_00402F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004193C42_2_004193C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004187882_2_00418788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402F892_2_00402F89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402B902_2_00402B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004073A02_2_004073A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_027CD4402_2_027CD440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_027CC8282_2_027CC828
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_027CCB702_2_027CCB70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_027C0FD02_2_027C0FD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_027C10302_2_027C1030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_056E5F382_2_056E5F38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_056E61E92_2_056E61E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_056EC8882_2_056EC888
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_056EEB702_2_056EEB70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_056E92B02_2_056E92B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_056E00402_2_056E0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_056E00062_2_056E0006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_056EF2BB2_2_056EF2BB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0643C09C2_2_0643C09C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06434E202_2_06434E20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06435DA82_2_06435DA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06439DB02_2_06439DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0643D6FA2_2_0643D6FA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_064311382_2_06431138
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06579FB82_2_06579FB8
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 10_2_016D36C010_2_016D36C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02FECB8011_2_02FECB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02FED45011_2_02FED450
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02FEC83811_2_02FEC838
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02FE0FD011_2_02FE0FD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02FE103011_2_02FE1030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06785F2811_2_06785F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0678BA7811_2_0678BA78
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0678936811_2_06789368
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0678EB6011_2_0678EB60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_067861D911_2_067861D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0678F2C011_2_0678F2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0678004011_2_06780040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_0678001F11_2_0678001F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06BAC09C11_2_06BAC09C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06BA004011_2_06BA0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06BA4E3011_2_06BA4E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06BA9DB011_2_06BA9DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06BA5DA811_2_06BA5DA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06BAD6FA11_2_06BAD6FA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06BA113811_2_06BA1138
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06CE9FB811_2_06CE9FB8
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: String function: 00388900 appears 42 times
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: String function: 00367DE1 appears 36 times
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: String function: 00380AE3 appears 70 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: String function: 00550AE3 appears 70 times
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: String function: 00537DE1 appears 36 times
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: String function: 00558900 appears 42 times
                Source: Wi8JY2Ta81.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 2.2.RegSvcs.exe.267fd8e.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.39d6458.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.4eb0ee8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.267fd8e.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.267eea6.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.39d5570.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.39d5570.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 10.2.vehiculate.exe.3f20000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 2.2.RegSvcs.exe.3a22d90.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.4eb0000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.3a22d90.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.4eb0000.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 1.2.vehiculate.exe.1f80000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 2.2.RegSvcs.exe.4eb0ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.267eea6.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.5180000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0000000A.00000002.1382722442.0000000003F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000001.00000002.1244596938.0000000001F80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000002.00000002.1385874503.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, 1UT6pzc0M.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, DnQOD3M.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, 01seU.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, iUDwvr7Gz.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, XUu2qKyuF6.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, aZathEIgR.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059A06A GetLastError,FormatMessageW,0_2_0059A06A
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005881CB AdjustTokenPrivileges,CloseHandle,0_2_005881CB
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005887E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005887E1
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003B81CB AdjustTokenPrivileges,CloseHandle,1_2_003B81CB
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_003B87E1
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0059B333
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005AEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_005AEE0D
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0059C397
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00534E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00534E89
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeFile created: C:\Users\user\AppData\Local\incalculabilityJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeFile created: C:\Users\user~1\AppData\Local\Temp\autB664.tmpJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs"
                Source: Wi8JY2Ta81.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Wi8JY2Ta81.exeVirustotal: Detection: 64%
                Source: Wi8JY2Ta81.exeReversingLabs: Detection: 76%
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeFile read: C:\Users\user\Desktop\Wi8JY2Ta81.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Wi8JY2Ta81.exe "C:\Users\user\Desktop\Wi8JY2Ta81.exe"
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeProcess created: C:\Users\user\AppData\Local\incalculability\vehiculate.exe "C:\Users\user\Desktop\Wi8JY2Ta81.exe"
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Wi8JY2Ta81.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\incalculability\vehiculate.exe "C:\Users\user\AppData\Local\incalculability\vehiculate.exe"
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\incalculability\vehiculate.exe"
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeProcess created: C:\Users\user\AppData\Local\incalculability\vehiculate.exe "C:\Users\user\Desktop\Wi8JY2Ta81.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Wi8JY2Ta81.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\incalculability\vehiculate.exe "C:\Users\user\AppData\Local\incalculability\vehiculate.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\incalculability\vehiculate.exe" Jump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                Source: Wi8JY2Ta81.exeStatic file information: File size 1174528 > 1048576
                Source: Wi8JY2Ta81.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Wi8JY2Ta81.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Wi8JY2Ta81.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Wi8JY2Ta81.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Wi8JY2Ta81.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Wi8JY2Ta81.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Wi8JY2Ta81.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.1388122756.000000000263E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1390461654.00000000039D1000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: vehiculate.exe, 00000001.00000003.1239290767.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 00000001.00000003.1242644304.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 0000000A.00000003.1379334446.0000000004110000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 0000000A.00000003.1379172483.0000000003F70000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: vehiculate.exe, 00000001.00000003.1239290767.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 00000001.00000003.1242644304.0000000003DC0000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 0000000A.00000003.1379334446.0000000004110000.00000004.00001000.00020000.00000000.sdmp, vehiculate.exe, 0000000A.00000003.1379172483.0000000003F70000.00000004.00001000.00020000.00000000.sdmp
                Source: Wi8JY2Ta81.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Wi8JY2Ta81.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Wi8JY2Ta81.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Wi8JY2Ta81.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Wi8JY2Ta81.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 2.2.RegSvcs.exe.267fd8e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 2.2.RegSvcs.exe.3a22d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 2.2.RegSvcs.exe.4eb0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: 2.2.RegSvcs.exe.39d5570.5.raw.unpack, _.cs.Net Code: ___ System.Reflection.Assembly.Load(byte[])
                Source: 2.2.RegSvcs.exe.267eea6.2.raw.unpack, _.cs.Net Code: ___ System.Reflection.Assembly.Load(byte[])
                Source: 2.2.RegSvcs.exe.4eb0000.6.raw.unpack, _.cs.Net Code: ___ System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00534B37 LoadLibraryA,GetProcAddress,0_2_00534B37
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0053C4C6 push A30053BAh; retn 0053h0_2_0053C50D
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00558945 push ecx; ret 0_2_00558958
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0036C4FE push A30036BAh; retn 0036h1_2_0036C50D
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_00388945 push ecx; ret 1_2_00388958
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C40C push cs; iretd 2_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00423149 push eax; ret 2_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C50E push cs; iretd 2_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004231C8 push eax; ret 2_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040E21D push ecx; ret 2_2_0040E230
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C6BE push ebx; ret 2_2_0041C6BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_027C47AC push es; retf 2_2_027C47AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_027C2582 pushfd ; ret 2_2_027C2597
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0643CF5A push esp; ret 2_2_0643CF61
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06576290 push es; ret 2_2_065762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06571E71 push es; ret 2_2_06571E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0657FFB2 pushfd ; ret 2_2_0657FFB9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0657D9CC push es; ret 2_2_0657D9AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0657D9A6 push es; ret 2_2_0657D9AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02FE47AC push es; retf 11_2_02FE47AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_02FE2582 pushfd ; ret 11_2_02FE2597
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06BACF5A push esp; ret 11_2_06BACF61
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06CED9CC push es; ret 11_2_06CED9AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 11_2_06CED9A6 push es; ret 11_2_06CED9AC
                Source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zmbiqYKUAsJDQ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zmbiqYKUAsJDQ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 2.2.RegSvcs.exe.267fd8e.1.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zmbiqYKUAsJDQ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 2.2.RegSvcs.exe.3a22d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zmbiqYKUAsJDQ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 2.2.RegSvcs.exe.4eb0ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'zmbiqYKUAsJDQ', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeFile created: C:\Users\user\AppData\Local\incalculability\vehiculate.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbsJump to dropped file
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vehiculate.vbsJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_005348D7
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005B5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_005B5376
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_003648D7
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_003E5376
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00553187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00553187
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeAPI/Special instruction interceptor: Address: 1F732E4
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeAPI/Special instruction interceptor: Address: 16D32E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1200000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199653Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199532Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199420Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198726Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198263Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198608Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198500Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6963Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2882Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1950Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7906Jump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeEvaded block: after key decision
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-101839
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeAPI coverage: 5.0 %
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeAPI coverage: 5.2 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0059445A
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059C6D1 FindFirstFileW,FindClose,0_2_0059C6D1
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0059C75C
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0059EF95
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0059F0F2
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0059F3F3
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005937EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005937EF
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00593B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00593B12
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0059BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0059BCBC
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003C445A GetFileAttributesW,FindFirstFileW,FindClose,1_2_003C445A
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CC6D1 FindFirstFileW,FindClose,1_2_003CC6D1
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_003CC75C
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_003CEF95
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_003CF0F2
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_003CF3F3
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_003C37EF
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_003C3B12
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_003CBCBC
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005349A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99764Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99546Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99405Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99295Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99186Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99044Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98910Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98774Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98436Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98218Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98097Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97749Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97413Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96306Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96202Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96073Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95948Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1200000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199653Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199532Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199420Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198726Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198263Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97344Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96904Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96794Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96685Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96556Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96404Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96275Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96171Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199594Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1199047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198608Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 1198500Jump to behavior
                Source: RegSvcs.exe, 0000000B.00000002.3695278683.00000000057C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx
                Source: Wi8JY2Ta81.exe, 00000000.00000003.1221691780.000000000155A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FEOJJHVMware
                Source: RegSvcs.exe, 0000000B.00000002.3692887357.00000000044F3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3692887357.00000000042B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3692887357.0000000004453000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3692887357.0000000004215000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3692887357.0000000004433000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3692887357.0000000004393000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000034CC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000036D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.0000000003334000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3687027989.00000000036AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: fMEQMM+xyKY/iTSJIHgfSrloXJZ42t0KsSckkZ5Oea+fv5fgfYOjLy+9f5kVvqmpT61H
                Source: RegSvcs.exe, 00000002.00000002.1387048610.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeAPI call chain: ExitProcess graph end nodegraph_0-101087
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeAPI call chain: ExitProcess graph end nodegraph_0-101306
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005A3F09 BlockInput,0_2_005A3F09
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00533B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00533B3A
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00565A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00565A7C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00534B37 LoadLibraryA,GetProcAddress,0_2_00534B37
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_014D3550 mov eax, dword ptr fs:[00000030h]0_2_014D3550
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_014D35B0 mov eax, dword ptr fs:[00000030h]0_2_014D35B0
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_014D1EE0 mov eax, dword ptr fs:[00000030h]0_2_014D1EE0
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_01F735B0 mov eax, dword ptr fs:[00000030h]1_2_01F735B0
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_01F73550 mov eax, dword ptr fs:[00000030h]1_2_01F73550
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_01F71EE0 mov eax, dword ptr fs:[00000030h]1_2_01F71EE0
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 10_2_016D1EE0 mov eax, dword ptr fs:[00000030h]10_2_016D1EE0
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 10_2_016D3550 mov eax, dword ptr fs:[00000030h]10_2_016D3550
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 10_2_016D35B0 mov eax, dword ptr fs:[00000030h]10_2_016D35B0
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005880A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_005880A9
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0055A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0055A155
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0055A124 SetUnhandledExceptionFilter,0_2_0055A124
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0038A124 SetUnhandledExceptionFilter,1_2_0038A124
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_0038A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0038A155
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040CE09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040E61C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00416F6A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004123F1 SetUnhandledExceptionFilter,2_2_004123F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 774008Jump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E48008Jump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005887B1 LogonUserW,0_2_005887B1
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00533B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00533B3A
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005348D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_005348D7
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00594C53 mouse_event,0_2_00594C53
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Wi8JY2Ta81.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\incalculability\vehiculate.exe "C:\Users\user\AppData\Local\incalculability\vehiculate.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\incalculability\vehiculate.exe" Jump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00587CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00587CAF
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0058874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0058874B
                Source: Wi8JY2Ta81.exe, vehiculate.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: Wi8JY2Ta81.exe, vehiculate.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_0055862B cpuid 0_2_0055862B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,2_2_00417A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00564E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00564E87
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00571E06 GetUserNameW,0_2_00571E06
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_00563F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00563F3A
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005349A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005349A0
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3687027989.0000000003204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388122756.000000000263E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390461654.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388940920.0000000002A4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388940920.0000000002A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7100, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7292, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388122756.000000000263E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390461654.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: vehiculate.exeBinary or memory string: WIN_81
                Source: vehiculate.exeBinary or memory string: WIN_XP
                Source: vehiculate.exeBinary or memory string: WIN_XPe
                Source: vehiculate.exeBinary or memory string: WIN_VISTA
                Source: vehiculate.exeBinary or memory string: WIN_7
                Source: vehiculate.exeBinary or memory string: WIN_8
                Source: vehiculate.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3687027989.0000000003204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388122756.000000000263E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390461654.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388940920.0000000002A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7100, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7292, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3687027989.0000000003204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388122756.000000000263E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390461654.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388940920.0000000002A4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388940920.0000000002A57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388940920.0000000002A24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7100, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7292, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267fd8e.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d5570.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39d6458.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a22d90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4eb0ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.267eea6.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.5180000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.1391884134.0000000005180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390795918.0000000004EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1388122756.000000000263E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1390461654.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005A6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_005A6283
                Source: C:\Users\user\Desktop\Wi8JY2Ta81.exeCode function: 0_2_005A6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_005A6747
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_003D6283
                Source: C:\Users\user\AppData\Local\incalculability\vehiculate.exeCode function: 1_2_003D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_003D6747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		2
                Valid Accounts                		121
                Windows Management Instrumentation                		111
                Scripting                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts3
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		221
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		2
                Valid Accounts                		2
                Obfuscated Files or Information                		1
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron2
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		2
                Software Packing                		NTDS148
                System Information Discovery                		Distributed Component Object Model221
                Input Capture                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets351
                Security Software Discovery                		SSH4
                Clipboard Data                		23
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                Registry Run Keys / Startup Folder                		1
                Masquerading                		Cached Domain Credentials121
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                Process Injection                		Network Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1633550 Sample: Wi8JY2Ta81.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 100 30 smtp.yandex.ru 2->30 32 api.ipify.org 2->32 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 10 other signatures 2->44 8 Wi8JY2Ta81.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\vehiculate.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 14 vehiculate.exe 3 8->14         started        60 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->60 18 vehiculate.exe 2 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\vehiculate.vbs, data 14->28 dropped 62 Antivirus detection for dropped file 14->62 64 Multi AV Scanner detection for dropped file 14->64 66 Binary is likely a compiled AutoIt script file 14->66 72 2 other signatures 14->72 20 RegSvcs.exe 15 2 14->20         started        68 Writes to foreign memory regions 18->68 70 Maps a DLL or memory area into another process 18->70 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 34 smtp.yandex.ru 77.88.21.158, 49688, 49690, 587 YANDEXRU Russian Federation 20->34 36 api.ipify.org 172.67.74.152, 443, 49686, 49689 CLOUDFLARENETUS United States 20->36 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->46 48 Installs a global keyboard hook 20->48 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->50 52 Tries to steal Mail credentials (via file / registry access) 24->52 54 Tries to harvest and steal ftp login credentials 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.