Windows Analysis Report
CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe

Overview

General Information

Sample name: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Analysis ID: 1562317
MD5: 1ca01a88b80112024883e55a27b1345a
SHA1: 3fdcd8cd1ff882b9c76dd93f680bb7f60fc97c7d
SHA256: a848e5d8d3a080b81556f4f7ec1fe1103610bf7bbb023065bf2e6696abaf6769
Tags: exeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://beirutrest.com", "Username": "belogs@beirutrest.com", "Password": "9yXQ39wz(uL+"}
Multi AV Scanner detection for submitted file
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49707 version: TLS 1.2
Source: Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1275322611.0000000004230000.00000004.00001000.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1274608798.0000000004090000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1275322611.0000000004230000.00000004.00001000.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1274608798.0000000004090000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_005B6CA9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_005B60DD
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_005B63F9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_005BEB60
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005BF56F FindFirstFileW,FindClose, 0_2_005BF56F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_005BF5FA
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_005C1B2F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_005C1C8A
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_005C1F94
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 50.87.144.157 50.87.144.157
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_005C4EB5
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: beirutrest.com
Source: RegSvcs.exe, 00000007.00000002.3730171766.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://beirutrest.com
Source: RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000007.00000002.3730171766.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.10:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, n00.cs .Net Code: lGCzgIzdr
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_005C6B0C
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_005C6D07
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_005C6B0C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_005B2B37
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005DF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_005DF7FF

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe.2300000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000007.00000002.3728024191.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1279697783.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: This is a third-party compiled AutoIt script. 0_2_00573D19
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_d9ae9e02-1
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000002.1277214161.000000000061E000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: ZSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_d7c2115a-3
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_a810b0ec-2
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe String found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_c9eac0fd-6
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B6606: CreateFileW,DeviceIoControl,CloseHandle, 0_2_005B6606
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005AAF64 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock, 0_2_005AAF64
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_005B79D3
Detected potential crypto function
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0059B043 0_2_0059B043
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005A410F 0_2_005A410F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005902A4 0_2_005902A4
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0057E3E3 0_2_0057E3E3
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005A038E 0_2_005A038E
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005A467F 0_2_005A467F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005906D9 0_2_005906D9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005DAACE 0_2_005DAACE
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005A4BEF 0_2_005A4BEF
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0059CCC1 0_2_0059CCC1
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0057AF50 0_2_0057AF50
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00576F07 0_2_00576F07
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0058B11F 0_2_0058B11F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0059D1B9 0_2_0059D1B9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005D31BC 0_2_005D31BC
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005A724D 0_2_005A724D
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00583200 0_2_00583200
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0059123A 0_2_0059123A
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B13CA 0_2_005B13CA
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005793F0 0_2_005793F0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0058F563 0_2_0058F563
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005796C0 0_2_005796C0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005BB6CC 0_2_005BB6CC
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005DF7FF 0_2_005DF7FF
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005777B0 0_2_005777B0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005A79C9 0_2_005A79C9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0058FA57 0_2_0058FA57
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00583B70 0_2_00583B70
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00579B60 0_2_00579B60
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0058FE6F 0_2_0058FE6F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00599ED0 0_2_00599ED0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00577FA3 0_2_00577FA3
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_016CD5D0 0_2_016CD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00408C60 7_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0040DC11 7_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00407C3F 7_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00418CCC 7_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00406CA0 7_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004028B0 7_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041A4BE 7_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00418244 7_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00401650 7_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00402F20 7_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004193C4 7_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00418788 7_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00402F89 7_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00402B90 7_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004073A0 7_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0293CDC8 7_2_0293CDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0293D9E0 7_2_0293D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_02931298 7_2_02931298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_02931030 7_2_02931030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_02931022 7_2_02931022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0293D110 7_2_0293D110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_061FEE78 7_2_061FEE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_061F9738 7_2_061F9738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_061FBD98 7_2_061FBD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_061F6318 7_2_061F6318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_061FF5D0 7_2_061FF5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_061F0027 7_2_061F0027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_061F0040 7_2_061F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06615238 7_2_06615238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0661A0F8 7_2_0661A0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_066161B0 7_2_066161B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_06611538 7_2_06611538
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_066183B0 7_2_066183B0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: String function: 0058EC2F appears 68 times
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: String function: 00596AC0 appears 42 times
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: String function: 0059F8A0 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0040E1D8 appears 43 times
Sample file is different than original file name gathered from version info
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1276118959.00000000041B3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1276271429.000000000435D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000002.1279697783.0000000002300000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename2ee75d06-d489-4537-90fc-92fe0f559436.exe4 vs CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Uses 32bit PE files
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe.2300000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000007.00000002.3728024191.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1279697783.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, NpXw3kw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, NpXw3kw.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, gyfrCFT5x9I.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005BCE7A GetLastError,FormatMessageW, 0_2_005BCE7A
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005AAB84 AdjustTokenPrivileges,CloseHandle, 0_2_005AAB84
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005AB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_005AB134
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005BE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_005BE1FD
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle, 0_2_005B6532
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005CC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket, 0_2_005CC18C
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0057406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_0057406B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: NULL
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe File created: C:\Users\user\AppData\Local\Temp\aut42B5.tmp Jump to behavior
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe ReversingLabs: Detection: 63%
Source: unknown Process created: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe"
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe"
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static file information: File size 1191936 > 1048576
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1275322611.0000000004230000.00000004.00001000.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1274608798.0000000004090000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1275322611.0000000004230000.00000004.00001000.00020000.00000000.sdmp, CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe, 00000000.00000003.1274608798.0000000004090000.00000004.00001000.00020000.00000000.sdmp
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0058E01E LoadLibraryA,GetProcAddress, 0_2_0058E01E
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00596B05 push ecx; ret 0_2_00596B18
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0059BDAA push edi; ret 0_2_0059BDAC
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0059BEC3 push esi; ret 0_2_0059BEC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041C40C push cs; iretd 7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_00423149 push eax; ret 7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041C50E push cs; iretd 7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004231C8 push eax; ret 7_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0040E21D push ecx; ret 7_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0041C6BE push ebx; ret 7_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_02933222 push edx; retf 7_2_02933224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_02932272 push edx; retf 7_2_02932273
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_02934705 pushfd ; retf 7_2_02934719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_029348CC push edx; retf 7_2_029348CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_02934C64 push edx; retf 7_2_02934C65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0293392E push edx; retf 7_2_0293392F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0293557C push edx; retf 7_2_0293557D
Source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'P5nvKpNArGjwP', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005D8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_005D8111
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0058EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0058EB42
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0059123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0059123A
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe API/Special instruction interceptor: Address: 16CD1F4
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 7_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598856 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597405 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595861 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594531 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8176 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe API coverage: 4.3 %
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B6CA9 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_005B6CA9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose, 0_2_005B60DD
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose, 0_2_005B63F9
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005BEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_005BEB60
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005BF56F FindFirstFileW,FindClose, 0_2_005BF56F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005BF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_005BF5FA
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_005C1B2F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_005C1C8A
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_005C1F94
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0058DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0058DDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 599094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598856 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 598094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597516 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597405 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 597078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 596094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595861 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595734 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595625 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595515 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595187 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 595078 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 594531 Jump to behavior
Source: RegSvcs.exe, 00000007.00000002.3731857262.00000000052BD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C6AAF BlockInput, 0_2_005C6AAF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00573D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00573D19
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005A3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW, 0_2_005A3920
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 7_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0058E01E LoadLibraryA,GetProcAddress, 0_2_0058E01E
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_016CD460 mov eax, dword ptr fs:[00000030h] 0_2_016CD460
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_016CD4C0 mov eax, dword ptr fs:[00000030h] 0_2_016CD4C0
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_016CBE10 mov eax, dword ptr fs:[00000030h] 0_2_016CBE10
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_005AA66C
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00598189 SetUnhandledExceptionFilter, 0_2_00598189
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005981AC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005981AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 7_2_004123F1 SetUnhandledExceptionFilter, 7_2_004123F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 961008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005AB106 LogonUserW, 0_2_005AB106
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_00573D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00573D19
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B411C SendInput,keybd_event, 0_2_005B411C
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B74E7 mouse_event, 0_2_005B74E7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005AA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_005AA66C
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005B71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_005B71FA
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Binary or memory string: Shell_TrayWnd
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005965C4 cpuid 0_2_005965C4
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA, 7_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW, 0_2_005C091D
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005EB340 GetUserNameW, 0_2_005EB340
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005A1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_005A1E8E
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_0058DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0058DDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3730171766.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7820, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Binary or memory string: WIN_81
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Binary or memory string: WIN_XP
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Binary or memory string: WIN_XPe
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Binary or memory string: WIN_VISTA
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Binary or memory string: WIN_7
Source: CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7820, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3730171766.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3730171766.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 7820, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.5340000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bef46.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0ee8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3d02f90.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.2ab0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.29bfe2e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.RegSvcs.exe.3cb5570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3729695166.000000000297E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3729783954.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3732059768.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3731382382.0000000003CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_005C8C4F
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005C923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_005C923B
Source: C:\Users\user\Desktop\CHARIKLIA JUNIOR DETAILS (1) (1).pdf.exe Code function: 0_2_005A58C5 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset, 0_2_005A58C5
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.12.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
50.87.144.157
 beirutrest.com United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
beirutrest.com 50.87.144.157 true
api.ipify.org 104.26.12.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high