Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uVEaZrbyd6.exe

Overview

General Information

Sample name:uVEaZrbyd6.exe
renamed because original name is a hash value
Original sample name:a27094c27d3d223e0de5922f4c1694b2d70199c79719627640f973b1f40e46a2.exe
Analysis ID:1633592
MD5:8ef5ee3dea811aa90a2b4dad6e187c21
SHA1:b054cba11224475453f19192bbceeb29a6d77ba3
SHA256:a27094c27d3d223e0de5922f4c1694b2d70199c79719627640f973b1f40e46a2
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • uVEaZrbyd6.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\uVEaZrbyd6.exe" MD5: 8EF5EE3DEA811AA90A2B4DAD6E187C21)
    • RegSvcs.exe (PID: 7768 cmdline: "C:\Users\user\Desktop\uVEaZrbyd6.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://inhanoi.net.vn", "Username": "newboxoffice@inhanoi.net.vn", "Password": "^TSt3!FK$UBA"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3743655632.000000000307C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.3743655632.0000000003051000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.3743655632.0000000003051000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.3741771518.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000007.00000002.3741771518.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.uVEaZrbyd6.exe.39f0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.uVEaZrbyd6.exe.39f0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.uVEaZrbyd6.exe.39f0000.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x312e7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31359:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x313e3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31475:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x314df:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31551:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x315e7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31677:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.uVEaZrbyd6.exe.39f0000.1.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x2e782:$s2: GetPrivateProfileString
                • 0x2de6f:$s3: get_OSFullName
                • 0x2f4e0:$s5: remove_Key
                • 0x2f67c:$s5: remove_Key
                • 0x30556:$s6: FtpWebRequest
                • 0x312c9:$s7: logins
                • 0x3183b:$s7: logins
                • 0x34540:$s7: logins
                • 0x345fe:$s7: logins
                • 0x35efa:$s7: logins
                • 0x35198:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: uVEaZrbyd6.exeAvira: detected
                  Found malware configuration
                  Source: 7.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://inhanoi.net.vn", "Username": "newboxoffice@inhanoi.net.vn", "Password": "^TSt3!FK$UBA"}
                  Multi AV Scanner detection for submitted file
                  Source: uVEaZrbyd6.exeVirustotal: Detection: 76%Perma Link
                  Source: uVEaZrbyd6.exeReversingLabs: Detection: 71%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: uVEaZrbyd6.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49719 version: TLS 1.2
                  Source: Binary string: wntdll.pdbUGP source: uVEaZrbyd6.exe, 00000000.00000003.1283687383.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, uVEaZrbyd6.exe, 00000000.00000003.1283533059.0000000003A70000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: uVEaZrbyd6.exe, 00000000.00000003.1283687383.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, uVEaZrbyd6.exe, 00000000.00000003.1283533059.0000000003A70000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_002B445A
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BC6D1 FindFirstFileW,FindClose,0_2_002BC6D1
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002BC75C
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BEF95
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BF0F2
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BF3F3
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B37EF
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B3B12
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BBCBC
                  Source: global trafficTCP traffic: 192.168.2.4:58092 -> 1.1.1.1:53
                  Source: Joe Sandbox ViewIP Address: 45.252.248.26 45.252.248.26
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewASN Name: AZDIGI-AS-VNAZDIGICorporationVN AZDIGI-AS-VNAZDIGICorporationVN
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002C22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002C22EE
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: inhanoi.net.vn
                  Source: RegSvcs.exe, 00000007.00000002.3746405433.0000000006364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                  Source: RegSvcs.exe, 00000007.00000002.3746405433.0000000006364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microscom/pki/crl/&
                  Source: RegSvcs.exe, 00000007.00000002.3743655632.000000000307C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://inhanoi.net.vn
                  Source: RegSvcs.exe, 00000007.00000002.3746405433.0000000006364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                  Source: RegSvcs.exe, 00000007.00000002.3743655632.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: uVEaZrbyd6.exe, 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3741771518.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: uVEaZrbyd6.exe, 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3741771518.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3743655632.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: RegSvcs.exe, 00000007.00000002.3743655632.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: RegSvcs.exe, 00000007.00000002.3743655632.0000000003001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49719 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, 7KG.cs.Net Code: _35gAjh
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002C4164
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002C4164
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002C3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002C3F66
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_002B001C
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002DCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_002DCABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: This is a third-party compiled AutoIt script.0_2_00253B3A
                  Source: uVEaZrbyd6.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: uVEaZrbyd6.exe, 00000000.00000000.1263504196.0000000000304000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9f4d842f-c
                  Source: uVEaZrbyd6.exe, 00000000.00000000.1263504196.0000000000304000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c6118fb5-a
                  Source: uVEaZrbyd6.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e861c8df-9
                  Source: uVEaZrbyd6.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f01fbbe1-5
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_002BA1EF
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002A8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_002A8310
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_002B51BD
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0025E6A00_2_0025E6A0
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0027D9750_2_0027D975
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002721C50_2_002721C5
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002862D20_2_002862D2
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002D03DA0_2_002D03DA
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0028242E0_2_0028242E
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002725FA0_2_002725FA
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002AE6160_2_002AE616
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002666E10_2_002666E1
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0028878F0_2_0028878F
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002688080_2_00268808
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002868440_2_00286844
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002D08570_2_002D0857
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B88890_2_002B8889
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0027CB210_2_0027CB21
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00286DB60_2_00286DB6
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00266F9E0_2_00266F9E
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002630300_2_00263030
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002731870_2_00273187
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0027F1D90_2_0027F1D9
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002512870_2_00251287
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002714840_2_00271484
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002655200_2_00265520
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002776960_2_00277696
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002657600_2_00265760
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002719780_2_00271978
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0025FCE00_2_0025FCE0
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0027BDA60_2_0027BDA6
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00271D900_2_00271D90
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002D7DDB0_2_002D7DDB
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0025DF000_2_0025DF00
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00263FE00_2_00263FE0
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_035836000_2_03583600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0158E3097_2_0158E309
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0158A9CF7_2_0158A9CF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01584A587_2_01584A58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01583E407_2_01583E40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_015841887_2_01584188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A99C487_2_06A99C48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AA66887_2_06AA6688
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AA56507_2_06AA5650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AAB2C77_2_06AAB2C7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AAC2187_2_06AAC218
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AA31107_2_06AA3110
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AA7E287_2_06AA7E28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AA77487_2_06AA7748
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AAE4387_2_06AAE438
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AA00407_2_06AA0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AA5D7B7_2_06AA5D7B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AA00387_2_06AA0038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06AA00077_2_06AA0007
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: String function: 00257DE1 appears 35 times
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: String function: 00278900 appears 42 times
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: String function: 00270AE3 appears 70 times
                  Source: uVEaZrbyd6.exe, 00000000.00000003.1291066854.0000000003D3D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs uVEaZrbyd6.exe
                  Source: uVEaZrbyd6.exe, 00000000.00000003.1281486525.0000000003B53000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs uVEaZrbyd6.exe
                  Source: uVEaZrbyd6.exe, 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename23efd368-458e-4e25-bda8-069458a07ef4.exe4 vs uVEaZrbyd6.exe
                  Source: uVEaZrbyd6.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, 1UT6pzc0M.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, DnQOD3M.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, 01seU.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, iUDwvr7Gz.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, XUu2qKyuF6.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, aZathEIgR.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@2/2
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BA06A GetLastError,FormatMessageW,0_2_002BA06A
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002A81CB AdjustTokenPrivileges,CloseHandle,0_2_002A81CB
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002A87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_002A87E1
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_002BB333
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002CEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_002CEE0D
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002C83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_002C83BB
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00254E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00254E89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeFile created: C:\Users\user\AppData\Local\Temp\autAAF7.tmpJump to behavior
                  Source: uVEaZrbyd6.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: uVEaZrbyd6.exeVirustotal: Detection: 76%
                  Source: uVEaZrbyd6.exeReversingLabs: Detection: 71%
                  Source: unknownProcess created: C:\Users\user\Desktop\uVEaZrbyd6.exe "C:\Users\user\Desktop\uVEaZrbyd6.exe"
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\uVEaZrbyd6.exe"
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\uVEaZrbyd6.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: uVEaZrbyd6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: uVEaZrbyd6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: uVEaZrbyd6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: uVEaZrbyd6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: uVEaZrbyd6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: uVEaZrbyd6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: uVEaZrbyd6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: uVEaZrbyd6.exe, 00000000.00000003.1283687383.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, uVEaZrbyd6.exe, 00000000.00000003.1283533059.0000000003A70000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: uVEaZrbyd6.exe, 00000000.00000003.1283687383.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, uVEaZrbyd6.exe, 00000000.00000003.1283533059.0000000003A70000.00000004.00001000.00020000.00000000.sdmp
                  Source: uVEaZrbyd6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: uVEaZrbyd6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: uVEaZrbyd6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: uVEaZrbyd6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: uVEaZrbyd6.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00254B37 LoadLibraryA,GetProcAddress,0_2_00254B37
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00278945 push ecx; ret 0_2_00278958
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01580C53 push ebx; retf 7_2_01580C52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01580C45 push ebx; retf 7_2_01580C52
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_01580C6D push edi; retf 7_2_01580C7A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_06A9F8BF push es; retf 7_2_06A9F8C8
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002548D7
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002D5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_002D5376
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00273187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00273187
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeAPI/Special instruction interceptor: Address: 3583224
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599122Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598233Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597030Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596698Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1013Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8847Jump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102049
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeAPI coverage: 4.6 %
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_002B445A
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BC6D1 FindFirstFileW,FindClose,0_2_002BC6D1
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002BC75C
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BEF95
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BF0F2
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BF3F3
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B37EF
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B3B12
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BBCBC
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002549A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599122Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598233Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597030Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596698Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
                  Source: RegSvcs.exe, 00000007.00000002.3746405433.0000000006364000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeAPI call chain: ExitProcess graph end nodegraph_0-100863
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002C3F09 BlockInput,0_2_002C3F09
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00253B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00253B3A
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00285A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00285A7C
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00254B37 LoadLibraryA,GetProcAddress,0_2_00254B37
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_035834F0 mov eax, dword ptr fs:[00000030h]0_2_035834F0
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_03583490 mov eax, dword ptr fs:[00000030h]0_2_03583490
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_03581E70 mov eax, dword ptr fs:[00000030h]0_2_03581E70
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002A80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_002A80A9
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0027A124 SetUnhandledExceptionFilter,0_2_0027A124
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0027A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0027A155
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EBA008Jump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002A87B1 LogonUserW,0_2_002A87B1
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00253B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00253B3A
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002548D7
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002B4C27 mouse_event,0_2_002B4C27
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\uVEaZrbyd6.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002A7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002A7CAF
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002A874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_002A874B
                  Source: uVEaZrbyd6.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: uVEaZrbyd6.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_0027862B cpuid 0_2_0027862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00284E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00284E87
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00291E06 GetUserNameW,0_2_00291E06
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_00283F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00283F3A
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002549A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.uVEaZrbyd6.exe.39f0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3743655632.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3743655632.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3741771518.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: uVEaZrbyd6.exe PID: 7512, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7768, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: uVEaZrbyd6.exeBinary or memory string: WIN_81
                  Source: uVEaZrbyd6.exeBinary or memory string: WIN_XP
                  Source: uVEaZrbyd6.exeBinary or memory string: WIN_XPe
                  Source: uVEaZrbyd6.exeBinary or memory string: WIN_VISTA
                  Source: uVEaZrbyd6.exeBinary or memory string: WIN_7
                  Source: uVEaZrbyd6.exeBinary or memory string: WIN_8
                  Source: uVEaZrbyd6.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 0.2.uVEaZrbyd6.exe.39f0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3743655632.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3741771518.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: uVEaZrbyd6.exe PID: 7512, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7768, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.uVEaZrbyd6.exe.39f0000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.uVEaZrbyd6.exe.39f0000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.3743655632.000000000307C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3743655632.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.3741771518.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1292494559.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: uVEaZrbyd6.exe PID: 7512, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7768, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002C6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_002C6283
                  Source: C:\Users\user\Desktop\uVEaZrbyd6.exeCode function: 0_2_002C6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_002C6747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts2
                  Native API                  		2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		121
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		2
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS138
                  System Information Discovery                  		Distributed Component Object Model121
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets241
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials121
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.