Windows Analysis Report
OC & PL.exe

Overview

General Information

Sample name: OC & PL.exe
Analysis ID: 1559981
MD5: c6a534ee57dee61cb20b631d697a6a09
SHA1: e9f122b4daf12299d0a55e6e51801b386063ed61
SHA256: ad4cfc06bad357de4ab58c9c01bc2e7015fd1944e35a206ef8b053611119f04f
Tags: exeuser-lowmal3
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 5.2.RegSvcs.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.agaliofu.top", "Username": "egooyibo@agaliofu.top", "Password": "QPS.6YYl.Yi= "}
Multi AV Scanner detection for submitted file
Source: OC & PL.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: OC & PL.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: /log.tmp
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>[
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: yyyy-MM-dd HH:mm:ss
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ]<br>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Time:
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>User Name:
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>Computer Name:
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>OSFullName:
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>CPU:
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>RAM:
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: IP Address:
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <hr>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: New
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: IP Address:
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: true
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: mail.agaliofu.top
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: egooyibo@agaliofu.top
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: QPS.6YYl.Yi=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: egooyibo@agaliofu.top
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: false
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: appdata
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: MBecZ
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: MBecZ.exe
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: MBecZ
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: true
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Type
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \drivers\etc\hosts
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <hr>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <b>[
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ]</b> (
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: )<br>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {BACK}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {ALT+TAB}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {ALT+F4}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {TAB}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {ESC}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {Win}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {CAPSLOCK}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {KEYUP}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {KEYDOWN}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {KEYLEFT}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {KEYRIGHT}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {DEL}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {END}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {HOME}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {Insert}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {NumLock}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {PageDown}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {PageUp}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {ENTER}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F1}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F2}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F3}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F4}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F5}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F6}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F7}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F8}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F9}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F10}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F11}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {F12}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: control
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {CTRL}
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: &amp;
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: &lt;
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: &gt;
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: &quot;
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <br><hr>Copied Text: <br>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <hr>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: logins
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: IE/Edge
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Windows Secure Note
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Windows Web Password Credential
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Windows Credential Picker Protector
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Web Credentials
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Windows Credentials
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Windows Domain Certificate Credential
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Windows Domain Password Credential
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Windows Extended Credential
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: 00000000-0000-0000-0000-000000000000
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SchemaId
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: pResourceElement
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: pIdentityElement
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: pPackageSid
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: pAuthenticatorElement
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: IE/Edge
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UC Browser
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UCBrowser\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Login Data
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: journal
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: wow_logins
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Safari for Windows
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <array>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <dict>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <string>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </string>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <string>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </string>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <data>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </data>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: -convert xml1 -s -o "
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \fixed_keychain.xml"
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Microsoft\Protect\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: credential
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: QQ Browser
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Tencent\QQBrowser\User Data
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Default\EncryptedStorage
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Profile
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \EncryptedStorage
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: entries
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: category
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: str3
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: str2
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: blob0
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: password_value
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: IncrediMail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: PopPassword
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SmtpPassword
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\IncrediMail\Identities\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Accounts_New
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: PopPassword
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SmtpPassword
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SmtpServer
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: EmailAddress
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Eudora
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: current
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Settings
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SavePasswordText
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Settings
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ReturnAddress
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Falkon Browser
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \falkon\profiles\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: profiles.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: profiles.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \browsedata.db
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: autofill
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ClawsMail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Claws-mail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \clawsrc
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \clawsrc
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: passkey0
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: master_passphrase_salt=(.+)
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \accountrc
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: smtp_server
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: address
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: account
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \passwordstorerc
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: {(.*),(.*)}(.*)
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Flock Browser
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: APPDATA
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Flock\Browser\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: signons3.txt
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: DynDns
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ALLUSERSPROFILE
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Dyn\Updater\config.dyndns
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: username=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: password=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: https://account.dyn.com/
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: t6KzXhCh
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ALLUSERSPROFILE
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Dyn\Updater\daemon.cfg
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: global
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: accounts
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: account.
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: username
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: account.
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Psi/Psi+
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: name
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Psi/Psi+
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: APPDATA
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Psi\profiles
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: APPDATA
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Psi+\profiles
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \accounts.xml
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \accounts.xml
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: OpenVPN
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\OpenVPN-GUI\configs\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: username
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: auth-data
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: entropy
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: USERPROFILE
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \OpenVPN\config\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: remote
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: remote
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: NordVPN
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: NordVPN
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: NordVpn.exe*
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: user.config
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: //setting[@name='Username']/value
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: //setting[@name='Password']/value
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: NordVPN
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Private Internet Access
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: %ProgramW6432%
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Private Internet Access\data
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Private Internet Access\data
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \account.json
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: .*"username":"(.*?)"
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: .*"password":"(.*?)"
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Private Internet Access
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: privateinternetaccess.com
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: FileZilla
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: APPDATA
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \FileZilla\recentservers.xml
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: APPDATA
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \FileZilla\recentservers.xml
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <Server>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <Host>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <Host>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </Host>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <Port>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </Port>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <User>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <User>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </User>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <Pass encoding="base64">
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <Pass encoding="base64">
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </Pass>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <Pass>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <Pass encoding="base64">
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </Pass>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: CoreFTP
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: User
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Host
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Port
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: hdfzpysvpzimorhk
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: WinSCP
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: HostName
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UserName
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: PublicKeyFile
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: PortNumber
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: WinSCP
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ABCDEF
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Flash FXP
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: port
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: user
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: pass
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: quick.dat
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Sites.dat
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \FlashFXP\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \FlashFXP\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: FTP Navigator
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SystemDrive
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \FTP Navigator\Ftplist.txt
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Server
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: No Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: User
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SmartFTP
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: APPDATA
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: WS_FTP
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: appdata
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: HOST
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: PWD=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: PWD=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: FtpCommander
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SystemDrive
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SystemDrive
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SystemDrive
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \cftp\Ftplist.txt
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ;Password=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ;User=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ;Server=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ;Port=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ;Port=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ;Password=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ;User=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ;Anonymous=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: FTPGetter
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \FTPGetter\servers.xml
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <server>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <server_ip>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <server_ip>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </server_ip>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <server_port>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </server_port>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <server_user_name>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <server_user_name>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </server_user_name>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <server_user_password>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: <server_user_password>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: </server_user_password>
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: FTPGetter
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: The Bat!
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: appdata
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \The Bat!
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Account.CFN
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Account.CFN
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Becky!
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: DataDir
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Folder.lst
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Mailbox.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Account
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: PassWd
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Account
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SMTPServer
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Account
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: MailAddress
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Becky!
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Outlook
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Email
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: IMAP Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: POP3 Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: HTTP Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SMTP Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Email
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Email
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Email
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: IMAP Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: POP3 Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: HTTP Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SMTP Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Server
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Windows Mail App
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Email
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Server
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SchemaId
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: pResourceElement
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: pIdentityElement
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: pPackageSid
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: pAuthenticatorElement
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: syncpassword
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: mailoutgoing
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: FoxMail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Executable
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: FoxmailPath
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Storage\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Storage\
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \mail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \mail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Accounts\Account.rec0
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Accounts\Account.rec0
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Account.stg
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Account.stg
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: POP3Host
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SMTPHost
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: IncomingServer
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Account
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: MailAddress
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: POP3Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Opera Mail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: opera:
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: PocoMail
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: appdata
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Pocomail\accounts.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Email
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: POPPass
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SMTPPass
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SMTP
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: eM Client
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: eM Client\accounts.dat
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: eM Client
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Accounts
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: "Username":"
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: "Secret":"
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: "ProviderName":"
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: o6806642kbM7c5
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Mailbird
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SenderIdentities
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Accounts
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \Mailbird\Store\Store.db
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Server_Host
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Accounts
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Email
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Username
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: EncryptedPassword
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Mailbird
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: RealVNC 4.x
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: RealVNC 3.x
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SOFTWARE\RealVNC\vncserver
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: RealVNC 4.x
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: RealVNC 3.x
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\ORL\WinVNC3
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: TightVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\TightVNC\Server
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: TightVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\TightVNC\Server
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: PasswordViewOnly
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: TightVNC ControlPassword
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\TightVNC\Server
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ControlPassword
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: TigerVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Software\TigerVNC\Server
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Password
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UltraVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: passwd
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UltraVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: passwd2
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UltraVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ProgramFiles
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: passwd
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UltraVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ProgramFiles
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: passwd2
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UltraVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ProgramFiles
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: passwd
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UltraVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ProgramFiles
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: passwd2
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UltraVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: passwd
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: UltraVNC
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: ProgramFiles(x86)
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: passwd2
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: JDownloader 2.0
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: JDownloader 2.0\cfg
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: JDownloader 2.0\cfg
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 5.2.RegSvcs.exe.400000.0.unpack String decryptor: Paltalk
Uses 32bit PE files
Source: OC & PL.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: OC & PL.exe, 00000000.00000003.1279549859.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, OC & PL.exe, 00000000.00000003.1278717254.0000000003430000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: OC & PL.exe, 00000000.00000003.1279549859.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, OC & PL.exe, 00000000.00000003.1278717254.0000000003430000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00746CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00746CA9
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_007460DD
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_007463F9
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0074EB60
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074F56F FindFirstFileW,FindClose, 0_2_0074F56F
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0074F5FA
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00751B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00751B2F
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00751C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00751C8A
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00751F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00751F94
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49701 -> 194.36.191.196:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 194.36.191.196 194.36.191.196
Source: Joe Sandbox View IP Address: 194.36.191.196 194.36.191.196
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HSAE HSAE
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.7:49701 -> 194.36.191.196:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00754EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00754EB5
Source: global traffic DNS traffic detected: DNS query: mail.agaliofu.top
Source: RegSvcs.exe, 00000005.00000002.2505480865.0000000002B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://agaliofu.top
Source: RegSvcs.exe, 00000005.00000002.2505480865.0000000002B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.agaliofu.top
Source: RegSvcs.exe, 00000005.00000002.2506741049.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2506741049.0000000005660000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2504022083.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2505480865.0000000002B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.i.lencr.org/0
Source: RegSvcs.exe, 00000005.00000002.2506741049.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2506741049.0000000005660000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2504022083.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2505480865.0000000002B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000005.00000002.2506741049.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2504022083.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2505480865.0000000002B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000005.00000002.2506741049.0000000005660000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.
Source: RegSvcs.exe, 00000005.00000002.2506741049.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2504022083.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2505480865.0000000002B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, SoC.cs .Net Code: _0PCB6lvQ5rw
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00756B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00756B0C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00756D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00756D07
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00756B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00756B0C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00742B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00742B37

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\OC & PL.exe Code function: This is a third-party compiled AutoIt script. 0_2_00703D19
Source: OC & PL.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: OC & PL.exe, 00000000.00000000.1255988345.00000000007AE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_70d81c01-a
Source: OC & PL.exe, 00000000.00000000.1255988345.00000000007AE000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: sSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_222d2d83-e
Source: OC & PL.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_63f55c29-2
Source: OC & PL.exe String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_0d674436-f
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00746606: CreateFileW,DeviceIoControl,CloseHandle, 0_2_00746606
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_0073ACC5
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007479D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_007479D3
Detected potential crypto function
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0072B043 0_2_0072B043
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00713200 0_2_00713200
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00713B70 0_2_00713B70
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073410F 0_2_0073410F
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007202A4 0_2_007202A4
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0070E3E3 0_2_0070E3E3
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073038E 0_2_0073038E
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073467F 0_2_0073467F
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007206D9 0_2_007206D9
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0076AACE 0_2_0076AACE
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00734BEF 0_2_00734BEF
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0072CCC1 0_2_0072CCC1
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0070AF50 0_2_0070AF50
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00706F07 0_2_00706F07
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071B11F 0_2_0071B11F
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007631BC 0_2_007631BC
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0072D1B9 0_2_0072D1B9
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073724D 0_2_0073724D
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0072123A 0_2_0072123A
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007093F0 0_2_007093F0
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007413CA 0_2_007413CA
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071F563 0_2_0071F563
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007096C0 0_2_007096C0
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074B6CC 0_2_0074B6CC
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007077B0 0_2_007077B0
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007379C9 0_2_007379C9
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071FA57 0_2_0071FA57
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00709B60 0_2_00709B60
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00707D19 0_2_00707D19
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071FE6F 0_2_0071FE6F
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00729ED0 0_2_00729ED0
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00707FA3 0_2_00707FA3
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00F56510 0_2_00F56510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_028A4250 5_2_028A4250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_028AF975 5_2_028AF975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_028A4E68 5_2_028A4E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_028AAC42 5_2_028AAC42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_028A4598 5_2_028A4598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05D98160 5_2_05D98160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05D930A0 5_2_05D930A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05D96810 5_2_05D96810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05D95790 5_2_05D95790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05D9BAFB 5_2_05D9BAFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05D9F130 5_2_05D9F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05D90040 5_2_05D90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_05D95ED3 5_2_05D95ED3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\OC & PL.exe Code function: String function: 0071EC2F appears 68 times
Source: C:\Users\user\Desktop\OC & PL.exe Code function: String function: 0072F8A0 appears 35 times
Source: C:\Users\user\Desktop\OC & PL.exe Code function: String function: 00726AC0 appears 42 times
Sample file is different than original file name gathered from version info
Source: OC & PL.exe, 00000000.00000003.1280680700.00000000036FD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs OC & PL.exe
Source: OC & PL.exe, 00000000.00000003.1278067652.0000000003553000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs OC & PL.exe
Source: OC & PL.exe, 00000000.00000002.1281202457.0000000000670000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename667ba23f-a209-46d6-8a32-7e551fe203f6.exe4 vs OC & PL.exe
Uses 32bit PE files
Source: OC & PL.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, 3SHNS.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, Nsobj.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, kPjPB5Pg.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, L0cY6BffcK.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, U25VpnZdCi.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, 8Po0IVbA.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, En337tp.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, En337tp.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, F1ul27ct.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, F1ul27ct.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, F1ul27ct.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.OC & PL.exe.670000.0.raw.unpack, F1ul27ct.cs Cryptographic APIs: 'TransformFinalBlock'
Source: OC & PL.exe, 00000000.00000003.1266243059.0000000000D99000.00000004.00000020.00020000.00000000.sdmp, OC & PL.exe, 00000000.00000003.1266314680.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp, immortaliser.0.dr Binary or memory string: 6.vBP6*M
Source: OC & PL.exe, 00000000.00000003.1266243059.0000000000D99000.00000004.00000020.00020000.00000000.sdmp, OC & PL.exe, 00000000.00000003.1266314680.0000000000DB8000.00000004.00000020.00020000.00000000.sdmp, immortaliser.0.dr Binary or memory string: 6.vBP6
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074CE7A GetLastError,FormatMessageW, 0_2_0074CE7A
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073AB84 AdjustTokenPrivileges,CloseHandle, 0_2_0073AB84
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_0073B134
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_0074E1FD
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00746532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle, 0_2_00746532
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0075C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket, 0_2_0075C18C
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0070406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_0070406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\OC & PL.exe File created: C:\Users\user~1\AppData\Local\Temp\aut1756.tmp Jump to behavior
Source: OC & PL.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OC & PL.exe ReversingLabs: Detection: 55%
Source: unknown Process created: C:\Users\user\Desktop\OC & PL.exe "C:\Users\user\Desktop\OC & PL.exe"
Source: C:\Users\user\Desktop\OC & PL.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\OC & PL.exe"
Source: C:\Users\user\Desktop\OC & PL.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\OC & PL.exe" Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: OC & PL.exe Static file information: File size 1225216 > 1048576
Source: OC & PL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: OC & PL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: OC & PL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: OC & PL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: OC & PL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: OC & PL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: OC & PL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: OC & PL.exe, 00000000.00000003.1279549859.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, OC & PL.exe, 00000000.00000003.1278717254.0000000003430000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: OC & PL.exe, 00000000.00000003.1279549859.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, OC & PL.exe, 00000000.00000003.1278717254.0000000003430000.00000004.00001000.00020000.00000000.sdmp
Source: OC & PL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: OC & PL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: OC & PL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: OC & PL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: OC & PL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071E01E LoadLibraryA,GetProcAddress, 0_2_0071E01E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071288B push 66007123h; retn 0077h 0_2_007128E1
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00726B05 push ecx; ret 0_2_00726B18
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00F5697A push ebp; iretd 0_2_00F56984
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00F56E19 push 2DA9E07Bh; ret 0_2_00F56E21

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download.png
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00768111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00768111
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0071EB42
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0072123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0072123A
Source: C:\Users\user\Desktop\OC & PL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\OC & PL.exe API/Special instruction interceptor: Address: F56134
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: OC & PL.exe, 00000000.00000003.1258140373.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, OC & PL.exe, 00000000.00000002.1282487024.0000000000E27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1525 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8305 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\OC & PL.exe Evaded block: after key decision
Source: C:\Users\user\Desktop\OC & PL.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\OC & PL.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\OC & PL.exe API coverage: 4.6 %
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00746CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00746CA9
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_007460DD
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_007463F9
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0074EB60
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074F56F FindFirstFileW,FindClose, 0_2_0074F56F
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0074F5FA
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00751B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00751B2F
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00751C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00751C8A
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00751F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00751F94
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0071DDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99282 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98563 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97407 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97188 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96938 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96469 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96344 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94735 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94610 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94485 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94235 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94110 Jump to behavior
Source: RegSvcs.exe, 00000005.00000002.2506741049.0000000005660000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: C:\Users\user\Desktop\OC & PL.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00756AAF BlockInput, 0_2_00756AAF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00703D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00703D19
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00733920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW, 0_2_00733920
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071E01E LoadLibraryA,GetProcAddress, 0_2_0071E01E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00F563A0 mov eax, dword ptr fs:[00000030h] 0_2_00F563A0
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00F56400 mov eax, dword ptr fs:[00000030h] 0_2_00F56400
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00F54D20 mov eax, dword ptr fs:[00000030h] 0_2_00F54D20
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_0073A66C
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007281AC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007281AC
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00728189 SetUnhandledExceptionFilter, 0_2_00728189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\OC & PL.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\OC & PL.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 90F008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073B106 LogonUserW, 0_2_0073B106
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00703D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00703D19
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0074411C SendInput,keybd_event, 0_2_0074411C
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007474E7 mouse_event, 0_2_007474E7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\OC & PL.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\OC & PL.exe" Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0073A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_0073A66C
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007471FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_007471FA
Source: OC & PL.exe Binary or memory string: Shell_TrayWnd
Source: OC & PL.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_007265C4 cpuid 0_2_007265C4
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0075091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW, 0_2_0075091D
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0077B340 GetUserNameW, 0_2_0077B340
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00731E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00731E8E
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0071DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0071DDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2505480865.0000000002B83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2505480865.0000000002B57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2505480865.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6400, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0.2.OC & PL.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OC & PL.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1281202457.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2502890497.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: OC & PL.exe Binary or memory string: WIN_81
Source: OC & PL.exe Binary or memory string: WIN_XP
Source: OC & PL.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: OC & PL.exe Binary or memory string: WIN_XPe
Source: OC & PL.exe Binary or memory string: WIN_VISTA
Source: OC & PL.exe Binary or memory string: WIN_7
Source: OC & PL.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.2505480865.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6400, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.2505480865.0000000002B83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2505480865.0000000002B57000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2505480865.0000000002B01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6400, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: 0.2.OC & PL.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.OC & PL.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1281202457.0000000000670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2502890497.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_00758C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00758C4F
Source: C:\Users\user\Desktop\OC & PL.exe Code function: 0_2_0075923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_0075923B
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.36.191.196
 agaliofu.top Netherlands
60117 HSAE true

Contacted Domains

Name IP Active
agaliofu.top 194.36.191.196 true
mail.agaliofu.top unknown unknown